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Readings and Questions 


I. THE DEFENSIVE PERSPECTIVE 

For the first half of fhe course, we will focus on fhe defensive perspecfive. Thaf is, we will focus 
on fhe overarching public-policy goals of (I) minimizing unaufhorized access fo (or disrupfion of) 
compufers and (ii) mifigafing harm when such access or disruption occurs. 

When it comes to minimizing unauthorized access and disruption, the main idea is to increase 
both the undesirable consequences attackers risk and the level of difficuify fhey face if fhey are 
nof deferred. There is a lof of room for improvemenf on bofh dimensions, no doubf; plenfy of 
fargefs are nof difficulf fo access or disrupf, and affackers offen sfand fo gain much more fhan 
fhey realisfically sfand fo lose. 

Our goal is fo undersfand fhe various insfifufions, policies, and legal frameworks fhaf define fhe 
sfafus quo on fhese maffers; fo grasp fhe compefing inferesfs fhaf are in play; and fo wresfle 
wifh fhe quesfion of how we mighf do beffer. 

We will subdivide fhe defensive unif in a way fhaf fracks fhese considerafions. Firsf, we will spend 
several classes examining fhe currenf U.S. approach fo impose consequences on affackers 
(including criminal and civil forms of liabilify, buf also non-legal modes of punishmenf). Second, 
we will several more classes examining forces thaf, by design, incentivize potential victims to do 
more in their own defense (or, more fo fhe poinf in many cases, in defense of fheir cusfomers, 
employees, etc.). And then we will conclude with a sequence examining what happens when 
attackers nonetheless succeed, looking at consequence management both in “normal” cases 
and those that have national significance. 

A. Punishing Unauthorized Access: Imposing Costs on Attackers 

A nofe on ferminology up fronf: we will offen use the word “attacker” as a shorthand referring fo 
a person or organizafion fhaf seeks to access a system in an unauthorized way (or to disrupt the 
proper functioning of a sysfem). 

Affackers come in many shapes and sizes. Some are sophisficafed professionals, ofhers are rank 
amafeurs. Some are sfafe-sponsored, some are part of non-sfafe organized groups, and some 
are individuals. Some are crooks. Some are spies (including our spies; spies isn’f pejorafive). 
Some are jusf showing off skills. Some are in if for fhe laughs. Some do if fo seffle personal scores. 
Some are seeking compefifive advantage. Some mean well, hoping to spur people to try harder 
on defense by exposing weaknesses in hopes fhaf fhey'll be remedied. Some are malicious, 
hoping fo cause harm (or fo use your sysfem fo cause harm fo ofhers). The poinf being: fhere are 
many pofenfial affackers ouf fhere, wifh a wide variefy of mofives and capacifies, some awful 
and ofhers laudable. Bear fhis in mind as we examine the various tools that we currently have— 
or might one day have—to impose consequences on attackers. 

We start this sequence with a warm-up class, familiarizing ourselves wifh ferms and confexfs 
relafing fo fhe criminal side of our fopic. Class 1 explores fhe black markefs in which various 
fhings of value relafing fo cybersecurify—sfolen dafa, access fo confrol compromised machines, 
fools fo breach sysfems—are boughf and sold. Affer fhaf, we have a pair of classes focused on 
fhe federal law enforcemenf enfifies fhaf are relevanf for cybersecurify and fhe federal criminal 
laws (especially fhe Compufer Fraud and Abuse Acf, aka “CFAA”) fhey enforce. The CFAA is 
nof really just one law, but several distinct ones. It raises fascinating and difficult questions of 
inferprefafion and design. We will dive deep info fhe CFAA as if has been used in pracfice. 
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examining several controversial prosecutions and key current issues. We also will look at other 
federal laws that attacks may implicate, and we will note that there are similar (but sometimes 
conspicuously-different) provisions found in stofe low (not to mention the laws of foreign states). 

In Class 4, we will turn our attention to o different type of cosf that might be imposed on an 
attacker: civil liability (especially damages). The CFAA has a role to play here too, but we'll also 
take note of several ofher sources of potential liability. We will pay particular attention to the 
reasons it may be hard to make effective use of this tool, and we will consider whether and why 
changes to the legal architecture might make sense. 

Next, we will turn in Classes 5 and 6 to consider a special breed of attacker: states. States 
sometimes attack using their own government-employed personnel, and they sometimes 
outsource the function to private, semi-private, and faux-private actors (see the writings of Tim 
Maurer on this). At any rote, the phenomenon of state-sponsored attacks raises o host of 
complex policy quesfions. We will firsf spend time considering concepts like attribution, 
deterrence, cross-domain deterrence, and escalation, and then we will look at a series of recent 
cose studies (involving Russian and Chinese attacks on US entities) in order to understand which 
tools do and do not seem to have bite in this distinct setting. 
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1. August 29 - Introduction: Attack, Black Markets, and Crime 


• start by generating a long list ot reasons (stated at a high level ot generality) why 
someone might try to gain unauthorized access to (or disrupt the tunctioning ot) a 
computer or network. Bear in mind that some attackers are private individuals, while 
others may be part of larger organizations (private or governmental). Perhaps make 
separate lists? 

• When a person or entity wants to gain unauthorized access to (or disrupt the functioning 
of) a computer or network, it certainly helps if that person or entity already has the skill 
and resources needed to develop tools to suit that purpose. But not everyone does, and 
in any event it is not necessary in all cases. Why not? Because there is a thriving black 
market for fhe sole nof only of stolen information, but also the sole of the means to steal 
and disrupt. Read chapters 2-4 of this 2014 RAND study to learn more, and then consider 
the questions below. 

• Who participates in these black markets, and has the answer to that question changed 
over time? Note factors such as nationality, and expertise. What are the policy 
implications ot your answers? 

• Can you explain how the types ot products/services sold on the black market have 
changed over time as well, and why this matters trom a policy perspective? 

• What are botnets, and how has their use evolved over time? 

• People often mention the botnet problem in connection with the growth of loT (that is, 
the “Internet of Things,” which is o shorthand for the growing constellation of household 
and personal devices wifh Internet connectivity of some kind). Why might that be? 

• Obviously, ononymify is important to participants in the cybercrime block markets. Read 
this January 201 7 Wired article from Andy Greenberg for an infroducfion to how these 
markets and their participants try to remain hidden. Be prepared to explain what terms 
like “deep web,” “dark web,” and “TOR” signity. 

• Which policy arguments might tavor allowing at least some such hidden services to 
exist? Which tavor suppressing them? How should these interests be reconciled? Should 
the balance should be the some in all societies? Why might that be hard in practice? 

• Sometimes government does succeed in “taking down” a particular dark web market. 
The RAND report suggests such successes ore “transitory,” however. Why? What tollows 
trom this? 


2. August 30 - Introduction: Vulns, Exploits, Disclosure, and Patching; Crime 


A. More introductory concepts 

• Note: In class we had an extensive discussion about the meaning of “vulnerability," 
“exploit” “disclosure," “patching," and related concepts. The original syllabus did not 
have specific readings, iet aione question prompts, about this. But we spent most of ciass 
#2 on those introductory matters. 

• Refer fo the RAND study above. What are “zero-day vulnerabilities” and what is special 
about them? 

B. Who ore the low enforcement players? 

• What is the ottice at DOJ that has special responsibility tor this area? Read this . 

• What about the FBI? Read (his for a general overview. 

• What is the role ot the U.S. Secret Service, and why is it involved? Read this fo understand 
the Secret Service’s role. 
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• We are focused for fhe momenf on prosecufing hacking as o crime. Buf if's worfh 
pausing fo reminder ourseives fhaf “crime” is nof aiways fhe mosf reievanf cafegory, 
even if a given hock is a crime. So sfrefch your mind o bif: When DOJ decides to 
prosecute, how might this hove impiications—perhaps negative ones?—tor the missions 
ot other government agencies or departments? 


3. Sep. 5 - Prosecution: When is hacking criminal? 


Note: During this class we spent all our time reviewing and parsing fhe language of fhe CFAA, 
and did nof reach fhe case studies. The case studies were therefore pushed off fo class ff4. I 
have now adjusted this version of fhe syllabus fo list fhe case studies under class ff4, instead of 
here in class ff3. 

A. infroducfion fo fhe Computer Fraud and Abuse Acf (“CFAA”) 

• There ore many federoi crimes fhof might be impiicoted by the activity we ore 
discussing, but fhe most significant one is fhe Computer Fraud and Abuse Act, or CFAA. 
The CFAA is codified in Titie 18 of the United States Code (the U.S. Code is the 
compiiation of federoi statutes organized topicoiiy, and Titie 18 is the main piace to find 
federai criminoi iows). in particuiar, it is codified as 18 U.S.C. Section 1030. in a moment 1 
wont you to read key ports of it. For some of you, this wiii be your first time to reoiiy 
examine a criminoi statute. You may be surprised how convoiuted it seems to be! 
Aias...you'ii get used to it. Now, on to business. Anyway, here's how i wont you to do it. 
Click here and read—very slowly—the first subsection (1030(a)). As you wiii see, 
subsection 1030(a) contains seven separate criminoi offenses. Let that sink in. CFAA is 
not one criminoi prohibition, but seven. Each one couid be o stand-aione section. But 
they aren't, and we just hove to deoi with that. You con hondie it! 

• Now that you've had o chance to skim aii of 1030(a), it's time to go back and reoiiy 
understand what mokes those seven provisions different from one another. We wiii 
spend ioads of time in ciass on this, so take it seriousiy! Try making a chart that has the 
number ot each subsection, some sort ot pithy iobei or name that heips you remember 
what a particuiar subsection is tocused on, and then a buiiet-point iist ot the “eiements” 
that appear to be necessary in order to be guiity ot an offense under that subsection. On 
the eiements, be sure to ask yourseif: What action(s) are necessary? What mentai state 
seems required? Any other necessary conditions? And how is this different from the 
others? 

• For each of the seven provisions: Can you orticuiote the poiicy argument in tavor ot 
making each scenario a crime? Counterarguments? 

• Notice that the CFAA goes on, in subsection 1030(b), to include a clause creating liability 
for conspiracies and attempts to commit those offenses. Can you articulate pros and 
cons? 


4. September 6 - Prosecution: Other criminal statutes 


Note: In class we spent a great deal of time on a hypothetical scenario at fhe start of class, and 
then proceeded fo cover fhe Morris case study and part of fhe Nosal case study. As a result, we 
will use class ft5 in part fo cover fhe remainder of fhe Nosal case study, fhe Swartz case study, 
and fhe material on fhe Wire Fraud statute and other items involving other criminal laws listed 
here in class tt4. And for fhaf reason. I’ve now adjusted fhe listing of readings and questions for 
class tt4 fo simply refer fo fhe case studies, pushing fhe rest of fhe material over fo class ff5. 
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A. Case Studies of the CFAA in Practice 

• The first big CFAA prosecution involved the ground-breaking—and largely accidental— 
“Morris Worm.” Read about the underlying events here , and then read the court opinion 
ottirming his conviction here (United States v. Morris, 928 F.2d 504 (2d Cir. 1991)). 

• Do you agree that Morris violated the CFAA? Con you make the argument that this 
prosecution was desirable? Con you make the opposite argument? Which view is most 
persuasive to you? Would you alter the CFAA to produce o different result? 

• The controversy surrounding the Morris case was nothing compared to that generated 
by the prosecution of Aaron Swartz. Read about that here , and then consider the some 
questions os above. 

• Another much-discussed example concerned David Nosal, who once worked for the 
executive search-and-recruitment firm Korn/Ferry and then left to start a competitor. 
Then things got interesting. Read about the CFAA charges in his cose, the issues they 
raised, and the outcome os explained by the “en banc” Ninth Circuit Court ot Appeals in 
United States v. Nosai , 676 F.3d 854 (2012). Be prepared to explain the government’s 
theory ot how the CFAA was violated (including which subsection), Nosal's 
counterargument, and how the court resolved things—and don’t torget to decide which 
side you would take and why. 

• The government on remand re-tried Nosal on a different theory: read here to see what 
happened next. What was the revised theory, and what do you think ot it? 


5. September 12 - Criminal liability concluded; Civil Liability introduced 


Note: Because we proceeded slowly in earlier classes, class #5 actually will begin with a brief 
discussion of the second-half of the Nosal case study and also the Aaron Swartz case (holdover 
material from the last class). 

A. Other Relevant Criminal Laws 

• CFAA isn’t the only tool in the toolbox for federal prosecutors dealing with cyber crime. 
There are some statutes of more-general applicability that often fit well with hacking 
scenarios, and there also are some highly-tailored statutes to consider. The most-relevant 
of the generally-applicable criminal laws, in this respect, is the “wire fraud” statute. Read 
18 use 1343 . How does it differ from CFAA? Con you exploin why o prosecutor might 
find it hondy? To get a further sense of what a wire fraud prosecution linked to hacking 
might look like, check out this orticie about an unusual wire fraud prosecution. 
Gooooooooooooooooooal! 

• Apart from “wire fraud,” there are several other, more-specific fraud statutes. While I do 
not intend for you to learn the particulars with them (as you will with CFAA and wire 
fraud), I do want you to be familiar with the general idea behind them. So: skim the 
foiiowing sufficientiy to be obie to orticuiote whot they forbid: 18 USC 1028 (identity 
fraud), 18 USC 1028A (identity theft), and 18 USC 1029 (“access device” fraud). Be sure 
to be obie to expioin whot on “occess device” is! 

• For a fascinating case showing how a variety of these statutes might be used in 
combination, we will discuss the prosecution of Roman Zeleznev (aka “Track2”). Read 
about it here . This case turned out well for the government; do you think it indicates that 
similar success is possible in most such cases? Read thjs and thjs for a glimpse of some 
unusual complications. Whot mode this cose border thon normoi? Whot foctors expioin 
how DOJ prevoiied onywoy? Does this show DOJ con generoiiy prevoii in simiior coses? 
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• Note: There are other criminal laws that are important in this space, but that we will not 
explore them in the interests of moving along to other topics. For the record, however. I'll 
still proceed to name a few of them: 18 USC 641 (theft of government property); 18 USC 
2511 (unauthorized interception of communications); 18 USC 2701 (unauthorized 
accessing of stored communications); and 18 USC 793-798 (various provisions relating to 
espionage and protection of defense information). There also is 17 USC 1201-1205, aka 
the Digital Millennium Copyright Act (“DMCA”). We will study the DMCA in more detail in 
a later class). 

B. State Criminal Laws 

• States have statutes analogous to the CFAA. For an overview of the relevant Texas 
statute, including observations on how it differs from CFAA in certain respects, read this . 
Can you articulate whether/how this ditters trom the CFAA? For a sense of fhe sfate 
agency responsible for compufer crime invesfigations, by fhe way, read here . 

C. Interngfional cyber crime enforcement 

• The United States is party to the “Budapest Convention on Cybercrime.” Skim its 
provisions to get a rough sense of whaf if is trying to accomplish. What do the parties to 
this treaties actually promise to do that seems genuinely signiticant? Why do you 
suppose Russia, Chino, and Iron ore not parties to this treaty? 

D. CFAA as a basis for civil suit 

• Well, it turns out the CFAA is not just a criminal statute, but also a civil liabilify statute (that 
is, it also creates a “private right of action” enabling suits for money damages in certain 
circumstances). Read 10 U.5.C. Section JOSOfo) . For such a short subsection, there is a 
LOT going on here! 

• First, there is a complicated precondition for exercising fhaf righf to sue, to the effect that 
only certain conduct counts. Can you unpack the statutory cross-reterences and 
explain, in plain English, when someone is allowed to sue? Can you explain what this 
leaves out, and why Congress might have gone to such trouble to draw this line? Do you 
agree with this approach? 

• Next, there's a sentence that limits the plaintiff to “economic damages” for a certain 
type of case. What does this mean, what type ot case counts, and what explains all this? 

• We'll skip over fhe sfatute of limifafions (fhaf is, the part that says you only get two years 
to sue). That brings us to the last sentence of 1030(g). What precisely does this last 
sentence do? Be prepared to make both pro and con arguments tor this provision. 

E. CFAA Civil Suit Case Studies 

• Social media companies like Facebook and Linkedin at times turn to the CFAA (using its 
civil liability provisions) in an effort to stop other companies from collecting information 
from public-facing parfs of fheir sites. Whether and when such conduct violates the 
CFAA is a hot current issue. Read about the suit Facebook fited against “Power Ventures” 
here and here . Be able to describe how Power Ventures made use ot data tound on 
Facebook pages, why Facebook claimed this violated the CFAA, why Power Ventures 
took the contrary view, and how the courts resolved the matter (note: The Supreme Court 
recently refused fo review fhe appellate court's ruling, ending the case). 

• HiQ V. Linkedin is a similar, recent case. Read about it here and here . Same questions as 
to the Power Ventures clash with Facebook. What ore the larger policy stakes? (The 
litigation in this one continues, with the Ninth Circuit Court of Appeals having heard oral 
argument last spring and the resulting decision not yet having issued). 
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No class on September 13 (makeup TBD) 


6. September 19 What if the attacker is a foreign government? (I) 


A. Key concepts 

• Up until now, we have proceeded from the assumption that instances of unauthorized 
access involved run-of-the-mill criminal or tortious activity conducted by private 
individuals or organizations. But sometimes the perpetrator is acting on behalf of a 
foreign government. Governments hack for many different (and sometimes 
overlapping) reasons, and we need to introduce these possibilities before turning to the 
questions that arise when we consider how the U.S. government attempts to impose 
costs on foreign governments in these situations. The primary reasons, in no particular 
order, include: 

o Law Enforcement: A government may engage in hacking to advance its own law 
enforcement interests (hacking to investigate or gather evidence, or perhaps 
even to do something to set up an arrest or other action). 

o Crime: Some regimes are desperate for cash. Private persons are not the only 
ones who might hack for financial gain. 

o Information Collection: Mosf sfates are in fhe business of stealing secrets in order 
to inform decisionmaking or to advance other goals, though states vary widely in 
their capacity to actually do this effectively. It is an ancient art, one that always 
has involved both technical and non-technical means. As more and more 
information and communications have gone digital, hacking has become ever 
more central to it. Often we call this “spying” or “espionage,” terms that call to 
mind images of civilian agencies sfealing secrefs for fhe benefif of a government 
(or, in the practice of some states—though not the United States—for the benefit 
of sfafe-controlled or sfate-favored privafe enterprises). But civilian agencies are 
not the only ones that engage in surreptitious information collection. When 
conducted by the military, we sometimes refer to this activity as intelligence, 
surveillance, and reconnaissance (“ISR”). ISR has connotations of informing 
factical, operational, or even strategic military planning. Whatever the label, 
though, the bottom line is that hacking is an increasingly-necessary aspect of 
sfealing secrefs. 

o Covert Action: As our review of the CFAA underscored, the general label of 

“hacking” encompasses more than just unauthorized access to steal information; 
sometimes the access is sought in order to alter or destroy data or to cause harm 
to a system controlled or impacted by that data. When a government pursues 
that approach, a question arises regarding how to categorize the activity. 
Sometimes such activity will be part of an armed conflict, and we will say more 
about that in just a moment. For now, what matters is that not every such hack 
occurs in the context of armed conflicf; indeed, mosf do not. And yet they are 
not instances of espionage, eifher. So what are they? Well, if fhe government 
involved is trying to keep its role secret, then the best answer usually will be 
“covert action” (there are some complicated nuances here, at least within the 
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U.S. legal system, when the government entity involved is a military entity, but we 
will save that for later in the course). Covert action can encompass a wide-range 
of cyber operations, from information operations (propaganda, disinformation, 
etc.) to efforts to create damaging physical effects (sabotage). 

o Armed Conflict: Though journalists and others routinely refer fo cyber “attacks” 
and “cyberwor” when talking about hostile foreign cyber octivifies targeting U.S. 
systems, the fact is that these actions rarely actually concern genuine armed 
conflict involving the United States. But they certainly could, and sometimes they 
really do. And so the threshold question you must ask is: Is there already o 
relevant state of armed conflict, or could this action on its own engender one? If 
not, then it is better not to talk in terms of war and combat; covert action may be 
the better label. 

o Preparation of the Battlefield: This is military jargon for the idea that it is at times 
useful or even necessary for the armed forces to take certain actions in advance 
of potenfiol hostilities—sometimes far in advance—in order to be in o better 
position to carry out certain operations later (that is, if and when on armed 
conflicf actually begins). In the physical world, for example, special operators 
might enter enemy territory prior to o conflict in order to determine optimal 
routes, preposition supplies, and so forth. So too, then, with cyber operations: in 
order to be able to take an action involving a targeted system later, it may be 
wise or even necessary to establish access to that system now. Of course, in that 
case one most likely will be at pains to remain undetected, lest that “preparation 
of the battlefield” go to waste. But what if one actually wants to be detected? 
That leads us to the distinct concept of a “hold-at-risk” strategy. 

o Hold-at-Risk: This perhaps-unfamiliar phrase is o shorthand for a simple idea. It 
refers to the idea that one might want to demonstrate to o rival or prospective 
opponent—in a very credible way—that one has the capacity to cause damage 
to something that they value. That is, the idea is to prove that you ore holding 
something they value “at risk,” and that the other side hod best not forget this 
when interacting with you in other settings. Simply put, a “hold-at-risk” strategy is 
an effort to improve your deterrence posture in relation to an opponent, thus 
impacting their calculations and actions in a way that is favorable to you. In this 
sense, it is akin to a “show of force” in which a government puts equipment or 
personnel, quite visibly, in geographic position to carry out certain operations 
(e.g., positioning an aircraft carrier nearby). In the cyber context, penetrating a 
system that contains valuable data or controls a valuable system—and allowing 
the other side to detect that one has done this—is a way of signaling that you 
truly do have the means to harm that data or system (and perhaps others os 
well). 

o The Indeterminacy and Multiplicity Problems: Here's the most important point of 
fhem all: In many insfances, it is not easy for a defender to tell which of these aims 
might explain why someone has hacked into a particular system. To be sure, it 
can become clear enough once the hacker begins making use of that access in 
order to do certain things. But because all of fhe aforementioned motivations for 
sfate-sponsored hacking begin wifh social engineering or malware in order to 
gain unauthorized access to a system, a defender who has detected such an 
intrusion may be left with little basis for predicfing what the intruder intends. 
Sometimes the context will help, of course, and eventually time will tell. In rare 
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instances, moreover, external sources of information might shed useful light too. 
But in the meantime, the defender is left to moke the best guess possible in the 
circumstances. Note, too, that the intruder might hove in mind one purpose at 
one time, yet may switch to o different purpose later. 

• Bearing the above in mind, perform the following exercise: Pick a foreign power with 
whom the United States has particuiariy bad reiations, imagine you are in a position of 
authority and trust in that government, and imagine a concrete exampie of an American 
target that you might iike to have your government penetrate for each of the purposes 
mentioned above. Be abie to expiain what your country gets from each scenario, but 
aiso the offsetting risks that might give you pause. 


7. September 20 - What if the attacker is a foreign government? (ii) 


A. A Framework for Thinking About Threat Reduction 

• Conversations about the threat foreign governments may pose to networks in the United 
States (including not just threats associated with formal parts of those governments like 
their militaries and intelligence services, but also private persons/organizations that may 
act on behalf of those governments) often are framed in terms of “deterrence,” 
“escalation risk,” and other familiar concepts from the international relations and security 
literatures. And rightly so. Before exploring those concepts in detail, however, it might 
help to spend a moment considering, at a high level of generality, how such concepts fit 
into a larger picture: 

o Let's say you are the President of the United States, and you and your advisors 
are formulating a strategy in response to your belief that a foreign 
government—let's say it is Iran—might take an action you view as a serious 
threat to U.S. interests. That action could involve the use of an existing 
capability in some unwelcome way (a use of military force, an intervention in 
the oil market, etc.), or it might involve an attempt to acquire some new 
capability that would make the foreign state a greater threat in the future (a 
nuclear bomb, for example). The point is: your overarching goals is to 
minimize the net danger. 

o To achieve that overarching goal, there are at least three subsidiary strategies 
you might consider (they are not mutually exclusive): 


o Note 
that the disruption, 
deterrence, and defense 
strategies can relate to one 
another. For example: if you 
build strong defenses and 
your adversary knows this, this 
may cause an increase in the 
expected costs of the action 
(for they may conclude they 
must put more of their own 
resources into the effort) or a 
decrease in their expected 
benefits (for they may have 

to revise their odds of success). Either way, their cost-benefit assessment will 
be less appealing, and the degree of deterrent persuasion increased. 


Disruption 

Prevent the other 
state from becoming 
capable of taking the 
undesirable action. 

Or, if it has capability 
already, destroy (or at 
least degrade) it. 


Defense 

e 

Minimize the harm 
you would suffer if 

n not 

the undesirable 
occurs. Do that by 

:tion. 

maximizing 

;ir 

relevant defenses 

s 

and establishing 

their 

resiliency. 

efits. 
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C. Notes on the U.S. defensive posture in cyberspace: America the vulnerable? 

• Read this article by Jack Goldsmith and Stuart Russell. It details six ways in which the 
extensive “digitalization” of the United States results in strategic vulnerabilities that, in turn, 
cast a shadow over U.S. policymaking and operational decisionmaking in response to 
adversary actions in cyberspace. Be able to describe each, and to explain precisely 
why it should matter to U.S. policymakers pondering their options in response to hostile 
toreign cyber activity. What larger lessons do you draw? 

D. Key terms relating to deterrence 

• Some key concepts here are “Deterrence, “Cross-Domain Deterrence,” “Within-Domain 
Deterrence,” “escalation,” “escalation risk,” and “escalation dominance.” Read this . 

Con you detine these concepts? 

• Read this . Should the government always make public that it has token an action in 
response to another state's hacking? Can deterrence work without public claims ot that 
kind? In answering those questions, give thought to the different possible “audiences” for 
such acfions. Obviously one would be the foreign governmenf to which the U.S. is 
responding. But who else might be watching? 

• On “Attribution” in the cyberspace context, read this and this . Con you detine 
“attribution” in this setting? Why do some claim it is especially ditticult in the cyberspace 
context, and why would that be different than, soy, nuclear weapons? What impact does 
such difficulty mean os to decisionmaking in particular coses? 


8. September 26 - What if the attacker is a foreign government (iii) 


A. Tools for imposing cosfs 

• We hove already considered the possibility of using criminal prosecution to impose costs. 
There ore many other tools to bear in mind. 

• For example: economic sanctions. This is o vast and important topic, the full scope of 
which is well-beyond the topic of our course. But here is what you should understand at 
o minimum: 

o When we talk of “sanctions” in this setting, we are referring to the ability of the U.S. 
government either to freeze the U.S.-based assets of o foreign person, 
organization, or government, or to declare some or oil transactions with the 
sanctioned party unlawful (so, no purchases, soles, trade, donations, services, 
exchanges, etc.). 

o Congress at times has passed lows that directly impose sanctions, but it is much 
more common these days for Congress to delegate to the President the authority 
to impose sanctions based on certain criteria Congress sets. For example. 
Congress recently enacted the Countering America's Adversaries Through 
Sanctions Act (CAATSA, pronounced “Cats-uh” or “Cots-uh”), which among other 
things colls for sanctions in response to interference with U.S. elections. And 
definitely be aware of the International Emergency Economic Powers Act (lEEPA, 
pronounced “Eye-EEP-uh”), which since the 1970s has served os o brood 
delegation of authority for the president to sanction foreign entities so long os the 
president has publicly declared the existence of o “notional emergency” relating 
to o foreign affairs matter and the sanctions ore related to that situation. (Note: 
don't be misled by the seeming-gravity of declaring o notional emergency; the 
public over time has proven to be largely uninterested when such declarations 
occur, and thus it has proven relatively easy to declare them when deemed 
useful.) 
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o By and large, presidential authority to issue sanctions under these and similar 
statutes ends up being delegated, through an executive order, to the Treasury 
Department. The body within Treasury that manages them is the Office of Foreign 
Assefs Confrol (“OFAC”). Periodically, OFAC will announce new enfifies or 
individuals fo be sancfioned under one or more of fhe currenfly-acfive sancfion 
regimes. 

o Whaf makes people comply wifh sancfions? Criminal penalfies for violafing fhem 
(derived from fhe sfafufes fhaf creafed fhe sancfion rules in fhe firsf place). 

o Con you sancfion someone for fheir violofion of ofher sancfions? Yes, fhof's 
called “secondary sancfions.” This is a hof topic vis-d-vis foreign companies fhof 
wonf fo do business wifh foreign enfifies (such os cerfoin Iranian enfifies) fhof ore 
fhemselves fhe subjecf of sancfions. 

o Unilaferol sancfions (fhof is, fhose imposed only by fhe Unifed Sfofes) con hove 
on impacf, buf mulfiloferol sancfions of course con have a greafer impocf. To 
gef ofher sfofes fo follow suif, fhe U.S. governmenf con fry diplomofic persuasion. 
To ocfually compel ofher governmenfs fo follow suif? Thof requires a U.N. Securify 
Council Resolufion, which is no easy fhing fo obfoin given fhe consfellafion of 
compefing nafional interesfs fhe Council represenfs (and fhe facf fhof China, 
Russia, fhe UK, France, and fhe Unifed Sfofes oil hove permanenf aufhorify to 
veto UNSC action). 

• What other tools can the U.S. government bring to bear to impose costs? Also, are their 
“carrots" that the U.S. government con otter instead? Generate a list. 

• To assess the deterrent value of each fool in a parficular seffing, you should consider af 
leasf fhree variables: 

o To whof exfenf would fhe foreign governmenf view fhe use of fhof fool os 
undesirable (fo if)? 

o To whof exfenf is if possible for fhe U.S. governmenf acfuolly to bring that tool to 
bear (and would the other government likely understand this)? 

o To what extent does the relevant US decisionmaker have the will to use that tool 
(and, more to the point, what is the other government likely to think about that)? 

• Give some thought to how those variables might apply to each item on your list. 

• We've been talking about these tools through the lens of deferrence. Above, we 
disfinguished deferrence from disrupfion. Are any of the tools on your deterrence list also 
useful for disruption? 


* September 27 No class (makeup session TBD) * 


9. October 3 - What if the attacker is a foreign government? (IV) 


Cur aim of fhe oufsef of fhis class is fo use o handful of cose sfudies in order fo undersfond 
deferrence dynamics in relafion fo cyberspace. 

A. Russia 

• Read this New York Times account from December 2016, which focuses on Russian 
elecfion interference in 2016, and this one on possible responses. Nexf, hove o look of 
this indictment of various Russians officers issued by a grand jury in July 2018. Guesfions fo 
ponder: How did hacking in this context relate to o larger “information operation”? What 
lessons does this episode suggest about vulnerability to spear-phishing? How do you 
assess the response of (i) the FBI in particular and (ii) the U.S. government more 
generally? What insights did you gather regarding the entities that conduct such 
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activities tor the Russian government? How wouid you characterize what Russia did here 
(Crime? Espionage? Covert action? Some combination, or something eise?)? What 
wouid you have done ditterentiy had you been president? And, tinaiiy, is any ot this 
octuaiiy beyond the paie, in the sense that you wouid not wont to see the United States 
doing the same thing (and do you see how that is o ditterent question trom asking 
whether the United States shouid do what it can to stop such actions trom succeeding 
against it)? 

• Read this Washington Post story regarding another Russia incident, the resutting 
indictment , and the tatest deveiopments in the case. How do you assess the 
ettectiveness ot the U.S. government response in this instance? Con the same modei 
reiiobiy be oppiied eisewhere? 

B. China 

• Read this Christian Science Monitor piece examining Chinese-government sponsored 
hacking against U.S. targets (public and private) in recent years. How does Chinese- 
government sponsored hacking differ trom the Russian activities descried above, and 
what toiiows trom this os a matter ot poiicy? Shouid it be off-iimits to hock businesses in 
hopes ot providing competitive advantages tor your own nation's companies (and does 
it reaiiy matter it the companies in question, on either end, are tormaiiy owned in part or 
in whoie by the state)? Shouid the United States hove done more to respond to these 
hocks? 

• The Obama administration surprised many observers when it brought criminal charges 
against a group ot PLA hackers (United States v. Dong (W.D. Pa.). Read the indictment , 
as well as this story and this story about the case. Analysis of the impact of this effort has 
been conflicted. Compare this account and this account . What iessons it any do you 
draw trom this? is prosecution on effective approach? Scoiabie? Does news ot this 
recent arrest -possibiy iinked to the tamous OPAA hack—change your view? 

• Prosecution is not the only tool available, of course. Read this Executive Order from 
President Obama, which in April 2015 established a system for sanctioning the 
beneficiaries of cyberespionage used for commercial advantage. Read more here and 
here , too. Pros and cons ot this approach? 

• Eventually, the U.S. and Chinese government struck a deal, of sorts. What was it, and has 
it helped? Read this recent account . What iessons do you draw? 
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B. Encouraging Potential Victims to Better Protect Their Systems 

Minimizing unauthorized (and excessive) access is not just a function of imposing painful 
consequences on infruders. If is also o funcfion of making if harder for fhem fo succeed when 
fhey do moke fhe offempf— i.e., improving defense. Indeed, recall how we disfinguished 
disrupfion, deferrence, and defense in fhe readings above. Improving defense will, of fhe 
margins, prevenf some infrusions in fhe sense fhof some affocks fhaf mighf ofherwise hove 
succeeded will now foil. Moreover, even for offockers who ore able and willing fo overcome 
fhe improved defense, fhe improvemenf increases fhe offacker's cosfs, fhereby making fhe 
efforf marginally less offrocfive (by reducing prospecfive refurn on invesfmenf) and perhaps 
even causing fhe offocker fo reduce fhe scope of fheir acfivifies due fo resulfing resource 
consfroinfs (sometimes this is called “deterrence by denial”). Incentivizing potential victims 
(whether they ore private or public entities or individuals) to improve their defenses on o 
sysfemic basis fhus con serve an imporfonf goal of cybersecurify policy. 

Of course, mosf pofenfiol vicfims already hove af leosf some incentive to develop and improve 
defenses even obsenf any form of governmenf infervenfion. Some hove frode secrefs fo 
profecf. Some desire fo keep fhings privafe. Some need fo keep customers happy. And so forfh. 
As o resulf, we con safely assume fhere will be some defensive ocfivify even if no exfernal forces 
infervened fo encourage such stops. If's rafher like fhe sifuofion of a building owner. Mosf 
owners would fake of leosf some stops fo moke fhe building safe even if fhere were no building 
codes, insurers, or plainfiff’s lawyers wifh which fo confend. 

Buf is fhis “nofurol” level of efforf good enough? In fhe building confexf, sociefy has answered 
fhaf quesfion wifh a resounding no; governmenfs, insurers, and lifigotors infervene in all sorfs of 
ways fo spur furfher safefy measures in fhaf seffing. And fhe same is frue wifh respecf fo various 
ofher confexfs, such os pollufion and public heolfh. In fhese and ofher seffings, we see exfensive 
markef infervenfions in fhe name of safefy (whefher all such infervenfions are genuinely so 
mofivafed is on enfirely differenf quesfion beyond fhe scope of our course). 

Increasingly, we are doing fhe same wifh respecf fo cybersecurify. 

As we shall see, fhe levers for infervenfion are preffy much fhe same in all fhese contexfs (fhough 
if is much more inferesfing fo sfudy fhem in fhe cybersecurify confexf, since fhey are much 
newer and more-confesfed here). We will focus on four of fhem. 

The firsf fwo—regulafion and liabilify—are familiar fo mosf of us. We will stort by examining fhe 
regulatory approach: fhaf is, top-down imposifion of rules (via sfafute or fhrough regulafions 
promulgated by an agency) fhaf jusf direcfly require fhaf cerfain enfifies employ parficular 
pracfices or procedures, upon pain of facing some form of enforcemenf acfion (usually in fhe 
form of a civil suif broughf by a regulatory agency). Our aim is fo undersfand whefher and how 
fhe United Stofes has embraced fhis approach fo driving beffer defense, and whaf forces 
explain fhe stofus quo. Nexf, we will furn fo consider fhe liability approach quite aparf from fhe 
acfions of regulafory agencies. Thaf is, we will consider fhe exfenf fo which organizafions or 
individuals may be exposed fo privafe lawsuifs for money damages (usually broughf by fhe 
downsfream vicfims of date breaches, such as customers and credif-card issuers) if some entify 
arguably had inadequate defensive measures. 

The nexf fwo mechanisms are less-familiar, yef easy enough fo grasp. Firsf, insurance. The 
availabilify of insurance coverage in fhe firsf insfance (nof fo menfion fhe defails regarding when 
a claim acfually will be honored) can be a powerful incenfive for behavior in fhis confexf as 
much as any ofher. Second, we will consider whaf one mighf call “pruning”: idenfifying ways in 
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which the current legal architecture unintentionally disincentivizes some desirable defensive 
measure, and then altering the law to remove that disincentive and hopefully pave the way for 
voluntary improvements. 

Next, we will look at o pair of considerations involving the federal government in particular. 

Under that heading, we first will consider the government's role in mandating improved defenses 
for...ifself. The federal government consists of a vasf array of disfincf insfifutions, and each of 
fhem has its own array of information systems to protect. However hard it may be for fhe 
government to compel other entities to do better at defending their sysfems, if should be easier 
for if fo compel ifs own consfituent parfs to do so. We will examine how that responsibility is 
distributed within the government, and we will consider how effectively it has been executed in 
recent years. Separately, we also will consider how the federal government has on additional 
capacity to incentivize improved security by others, thanks to the considerable leverage that 
some parts of fhe government wield through their purchasing and contracting authorities. 


10. October 4 - The Role of Regulators: Rulemaking & Enforcement 

11. October 10 - Same 


A. About Federal Administrative Agencies 

• The federal governmenf contains o large number of odminisfrofive agencies. Each has some 
parficular field of subjecf-motfer responsibilify (fhe scope of which is defined by sfofufe in 
mosf coses). Each fypicolly performs many functions, but we ore especially concerned with 
two core capacities. 

• First, rulemaking. An agency might hove authority to promulgate legally-binding regulations 
(that is, to engage in “rulemaking”) in furtherance of some goal specified by Congress. For 
example. Congress has given the Environmental Protection Agency authority to promulgate 
regulations to further the goals of the Clean Air Act in certain ways. There are a host of 
complex procedural rules associated with agency rulemaking, but for now if is enough to 
know that this has been a common mode of creafing law since the 20^^ century. 

• Second, enforcement. Congress sometimes authorizes an agency to initiate and pursue 
“enforcement” proceedings. The idea is that the agency may be tasked with investigating 
possible rule violations (whether a rule stated directly in o statute enacted by Congress, or o 
rule promulgated by on agency pursuant to authority delegated by Congress) and then 
initiating civil proceedings to enforce alleged violofions. In some coses, the enforcement 
action might take the form of on ordinary civil suif, wifh the agency suing the alleged violator 
in federal court. But sometimes Congress empowers the agency also or instead to 
adjudicate the enforcement process internally (at least os on initial matter), with o litigation 
process involving on administrative law judge within the agency itself. Either way, the 
general idea is to secure o determination that someone violated o rule, producing o costly 
fine/damages, an order obliging (enjoining) the violator to take or cease some particular 
action(s), or both. 

• Like other forms of lifigotion, agency enforcemenf proceedings roufinely resulf in sefflements 
in which fhe alleged violator agrees to take or cease certain actions, with the possibility of 
more severe consequences later on if the party breaches that obligation. 

• Note that other parties in an industry may take note of the initiation and resolution of 
enforcemenf actions; they cost o shadow—sometimes o very long shadow—that may 
impact how other players decide to act. Bearing that in mind, can you make an argument 
that “entorcement” authority is itseit a second term ot ruie-making authority? 

B. There Is No Cybersecurity Protection Agency (Yet) 
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• I mentioned the EPA above. It was created during the Nixon Administration at a time of 
mounting concern about the harmful effecfs of pollufion. Over fime, Congress has granfed 
various rulemaking and enforcemenf aufhorifies fo fhe EPA in furfherance of fhis general 
mission. One mighf argue fhaf mounfing concern abouf inadequafe cybersecurify warranfs 
creafion of a similar dedicafed agency. If is imporfanf fo grasp, however, fhaf Congress so 
far has nof faken fhaf sfep. 

• Buf fhaf does nof mean fhaf fhere are no agencies engaged in promofion of cybersecurify. 

If jusf means fhere's no new agency creafed for and dedicafed exclusively fo fhis purpose. 

• Your goal in lighf of all fhaf: undersfand how cerfain pre-exisfing agencies have managed fo 
parficipafe in cybersecurify promotion. We'll start with the one you hear about the most in 
this space: the FTC. 

C. The Federal Trade Commission f“FTC") and the FTC Act 

• For a very brief introducfion to the FTC, read ihjs. Based only on this overview, would you 
expect the FTC to have a role in setting or enforcing sfandards for cybersecurify? Why or why 
nof? 

• Cne of the statutes the FTC is empowered to enforce is fhe Federal Trade Commission Acf 
(“FTC Acf”). The FTC has nof engaged in any rulemaking relafing fo cybersecurify under fhis 
sfafufe. Insfead, if has focused on enforcemenf acfions, based on the claim that some 
situations involving poor cybersecurity violated a rule set forth in the FTC Act itself. In facf, if 
has inifiafed more fhan 60 enforcemenf acfions along fhese lines, and has foufed fhe 
resulfing body of cases as funcfioning, collecfively, as a form of guidance fo fhe privafe 
secfor. In a momenf I'll ask you fo consider whether this level of enforcemenf, wifhouf 
failored rulemaking, is desirable. Buf firsf you need fo know jusf whaf fhey've been enforcing 
and how fhey've been doing if. 

• Goal #1: Undersfand whaf exacfly fhe FTC Acf prohibifs. The answer is found in 15 U.S.C. 
45( a)(1). Read jusf fhaf parf—(a)(1)—carefully. There's an opening clause abouf unfair 
compefifion, and a second clause fhaf refers alfernafively bofh fo “unfair” pracfices and 
“decepfive” pracfices fhaf impacf infersfafe commerce. Can you explain how unfairness is 
different from deception? Does either concept seem relevant to o situation in which some 
entity has poor cybersecurify? In terms of clarity (and thus understanding on the port of 
those who must comply), how does this compare to the various subparts of the CFAA? 

• Goal #2: Undersfand how 15 U.S.C. 45(n) limifs one (buf nof bofh) of fhose fwo prohibifions. 
Which one is impacted, and is the impact likely relevant for o cybersecurify situation? 

• Goal #3: Undersfand whether there are significant limits with respect to who has to care 
about the FTC Acf. Read 15 U.S.C. 45(a)(2) . Does it encompass everyone? 

• Goal #4: Understand how fhe FTC goes about enforcing fhe FTC Act. It has two available 
options. Read 45(b) and 45(m) . Con you explain the difference between the two 
procedures in terms of who decides whether the FTC's allegation is correct? In terms of what 
remedies appear to be available if the FTC wins? 

• Case study: Uber 

o Read this complaint filed by the FTC. Which enforcement path did the FTC use in this 
cose? In what way(s) did Uber allegedly violate Section 45(a)? Assuming oil the 
allegations to be true, would you agree with the FTC that this violates the statute? 

o Eventually Uber settled with the FTC, but then in April 2018 the FTC announced it had 
reopened fhe case due to Uber's failure to disclose that, during the pendency of fhe 
case at the earlier stage, Uber had experienced another data breach. This led to a 
revised settlement agreement. Scon the document to get a sense of fhe commitments 
FTC extracted from Uber. What ore they, and was this o good outcome? 
o The FTC was not the only problem Uber faced in connection with these events. A 

number of state Attorneys General decided to team up and sue Uber together, based 
on various state data-breach liability laws we will examine in the next class. For now, it is 
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enough to note that Uber faced this massive and well-resourced lawsuit at the same 
time that it faced the FTC's renewed enforcement action. Consider how the pendency 
of parallel litigation might matter. Oh, by the way, Uber and the states have just 
announced (9/26/18) that they are settling for $148 million 

• Case Study #2: Wyndham Flotels 

o Flere's an example of the FTC suing in federal court. Read this note summarizing the 
litigation involving Wyndham Flotels. What was Wyndham’s argument about the propriety 
of suing them under the “unfairness” prong of Section 45(a)(1)? How did the court rule on 
that point, and do you agree? What was Wyndham’s second argument, concerning “fair 
notice”? How did the court rule on that one, and do you agree? 
o Note: Wyndham and the FTC settled later, with Wyndham agreeing to take on a variety 
of security-focused practices (as well as annual audits) for the next 20 years. 

• Case Study #3: LabMD 

o This was a remarkable case in many respects. I won’t summarize it here, but rather will 

ask you to read this short overview from Prof. Dan Solove. Can you summarize how the 
outcome in LabMD compares to Wyndham? 

D. The FTC and the Gramm-Leach-Bliley Act 

• As it happens, the FTC also has authority to enforce other statutes, and in some cases to 
promulgate regulations relating to them. One such statute is the Gramm-Leach-Bliley Act 
(the “GLB Act”), which among other things concerns the protection of customer data by 
financial insfitutions. 

• The FTC has promulgated a set of regulations on that issue, known collectively as the 
“Safeguards Rule” (found in 16 Code of Federal Regulations Part 314). Skim the text of Part 
314 and then read this FTC-written overview . Who does this govern, and (at a general level) 
what does it require them to do? 

• For a recent illustration of the Safeguards Rule in action, read pp.3-5 of this action the FTC 
pursued against TaxSIayer. I won’t have questions for you about this one; it’s just an 
illustration. 

E. A Quick Look at Other Federal Regulators 

• There are other federal regulators involved in cybersecurity, besides the FTC. We will not go 
into anything like the same level of defail wifh them, but you should have at least a glancing 
familiarity with the roles some of them play. 

• For each example below, identify the substantive standard that the agency appears to be 
enforcing: 

o Read here for an example involving the Securities & Exchange Commission (“SEC”), 
o Skim tojs (just glance through the first dozen pages) for an example involving the Federal 
Communications Commission (“FCC”). 

o Note that medical devices obviously raise especially-acute cybersecurity concerns, 
particularly when the device in question can be accessed remotely and is capable of 
causing significanf harm. I’m not assigning you anything relating to the Food and Drug 
Administration (the “FDA”), but if you are interesfed in going deeper on fhis topic: do 
some searching to see if you can determine whether the FDA has gotten involved with 
cybersecurity regulations or enforcement. 

F. Don’t Forget the State Regulators and Foreign Regulators 

• Why should all the fun be leff to federal regulators? Of course, if isn’t. I want you to be 
generally aware of various ways in which other regulators become involved, though I’m not 
going to ask questions about this in class or hold you accountable on the exam for if. This is 
jusf for your general awareness. This example recently took effect in New York in relation to 
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the financial services industry. And here’s a short piece explaining how various European 
regulators responded to the some Uber breach we noted above. 


12. October 11 The Role of Private Lawsuits and Insurance 


A. The Big Picture: Who Are the Injured Parties Who Might Become Plaintiffs? 

• Consider the following depiction of the chain of actors involved in o common type of 
cybersecurity incident: 


Vendor 

(makes 

software) 


Company (uses 
Vendor’s 
software; has 
eustomer eredit 
eard data) 


Hacker accesses 
Company’s database by: 

(1) social engineering 
tricking Company’s 
employee into sharing 
credentials, or 

(2) exploiting zero-day 
vulnerability in 
Vendor’s software. 



• Who would you characterize as a victim? 

• One might expect that, if anyone is to be sued for damages, it would be the hacker. That 
rarely occurs, however. Why might that be? 

• Usually the vendor is not sued either. That’s to be expected if the hacker breached the 
company’s security via social engineering; that’s o failure on the part of the employee(s) 
and perhaps the company, but not the vendor. But what if the breach was the result of a 
vulnerable in the vendor’s software? Read this article and make a list ot the obstacles to 
suing sottware providers. Consider the policies that might be served by each obstacle. 
Would you change any ot them? 

• This leaves the option of suing the company that actually suffered the breach. Our goal 
now is to understand the major form so liability that companies in this situation might face. 

B. Tort Liability (For Lack of Due Core) 

• In our legal system, we use the word “tort” to refer to situations in which the law authorizes 
suits for damages based on harmful actions/omissions. Some torts are “common low” 
causes of action, meaning that the courts hove recognized o right to sue in o particular 
situation even without o statute calling for recognition of that tort. This is the traditional and 
most familiar kind of tort. Examples include negligence and battery. But legislatures con 
create torts by statute, too, if they wish. 

• There ore many kinds of torts. One botch, called “intentional torts,” involves purposefully- 
hormful conduct. That’s not our concern here, for we are assuming that companies do not 
intend to be breached. So that leaves us with unintentional harms. In that situation, the tort 
system con take either of two approaches. First, it con make someone strictly-lioble for all 
harms they cause. Second, it con moke them liable only for harms that result from lock of 
adequate core—what we commonly coll “negligence.” The strict-liobility approach is 
relatively rare, and usually confined to ultra-hazardous activities. For companies that may 
hove inadequate information security, the important question is negligence. 
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• As all law students learn during their first year, negligence makes a defendant liable in 
damages where four conditions are met: (1) the defendant owed a duty of care, (2) the 
defendant breached that duty, (3) the plaintiff suffered a legally-recognizable harm, and (4) 
the breach was the proximate (reasonably-foreseeable) cause of that harm. Pause now to 
consider how, in the scenario above, the company’s customers might hove o negiigence 
cioim against (o) the company or (b) the vendor. 

• Case study #1: A Negligent Law Firm? 

o Here is on iiiustrotion of a suif against a company—a law firm, actually—for negligence 
relafing to inadequate information security. Assume the allegations ore true: Do you 

think the eiements ot negiigence ore satisfied? Note how the plaintiff used fhe 
defendant's own words against it when describing its view of what should count as due 
care in this context. 

o Even if fhe plaintiff seems unlikely fo win on the merits if the suit goes to trial, the 

defendant still might conclude that the rational path forward is fo seftle fhe cose. Why, 
and what does that suggest about the incentives created by the possibiiity ot being 
sued? 

• Case sfudy #2: Equifax 

o Nof long ago, Equifax (one of the major credit-reporting agencies) suffered a massive 
data breach. Credit-reporting agencies ore a particularly-appealing target for this sort of 
fhing, in light of the vast volume and sensitive nature of fhe information they collect. As 
you might imagine, news of the breach mode headlines, and many lawsuits followed. 

Here is the compioint in one ot those cose . 

o The plaintiffs in fhis case seek “class ocfion” sfofus—that is, they seek approval from the 
court to assert not just their own claims but those of all ofher similarly-situafed persons. 
Consider the pros ond cons ot cioss-oction stotus trom the point ot view ot the detendont, 
the piointitt, ond the piointitt’s ottorneys (bearing in mind that the plaintiff's attorney most 
likely are being compensated on a “contingent fee” basis—meaning that they will 
receive a percentage of fhe eventual recovery, if any), 
o It can be hard to prove what the duty of care is, let alone that a breach of it occurred. 
But in the data breach context, the real challenge often is showing damages 
proximotely caused by the breach. Reod this for a critical perspective on that problem. 
Do you ogree with EFF? 

• Breach of a Statutory Duty of Care' 

o The question of whether and fo what extent tort liability should exist for foiling fo secure 
data sufficiently does not have to be left up fo the common-low process in which courts 
consider whether fo recognize a duty of core in this space. If o state legislature wants to 
confirm that such liobility exists, it can do so by statute. And California recently did 
exactly that. 

o Section i i of the California Consumer Privacy Act of 2018 (codified at Cal. Civil Code 
Section 1798.150) provides that certain companies doing business in Californio ore 
subject to civil suit for injunctive relief or damages (in fhe amount of the plaintiff’s actual 
damages or else “statutory damages" (that is, a pre-set penalty determined by fhe 
statute) in the range of $ 100-$750 per consumer per incident, whichever turns out fo be 
higher) if “nonencrypfed or nonredacted personal in formation...is subject fo an 
unauthorized access and exfiltrotion, theft, or disclosure os a result of the business’s 
violation of the duty to implement and maintain reasonable security procedures and 
practices appropriate to the nature of the information....’’ 
o How does this statutory standard compare to common-law negligence? 


* This is material we discussed in class, though it was not included in the earlier version of the syllabus. I’ve added it 
to the syllabus now both for the sake of convenience for those who were in class that day and for the benefit of those 
who for whatever reason missed that class. 
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o In light of how the statute describes the category of information subject to the 
statute’s protection, what advice would you give to a company that has personal 
information to protect? 

C. Contract Liability (For Failing to Live Up to Security-Related Promises) 

• In some settings, the company that suffered a breach will have made securify-related 
representations in a contract of some kind. A professional-services firm, for example, mighf 
include such representations in the “engagement letter” that serves as the contract 
between the firm and its clients (sophisticated clients increasingly will insist upon this). In 
other settings, there may be terms-of-service that govern a customer's or user's relationship 
to a company (particularly but not only where customers or users interact with the company 
via an app). These too may contain security-related representations. These and other 
examples create the possibility of a breach-of-contract lawsuif in the event of a dafa 
breach where the breach arguably shows that the company failed to live up to its promises. 

• Of course, companies make some representations in settings that do not count as part of a 
contracf with a customer or user. For example, a company may make statements in 
advertisements or on their websites, including statements about care they take to protect 
customer and user data. Consider how this iiiustrotes the ditterence between a breach ot 
contract ciaim and an FTC entorcement action based on deceptive advertising. 

• Case study #3: Anthem 

o In February 2015, the health insurance company Anthem announced that its security 
had been breached and that a massive amount of personally-identifiable information 
about patients had been exposed. This led to massive litigation, based on a variety of 
claims including breach-of-contract claims. Anthem tried to have these claims 
dismissed, but was only partially successful. On one hand, it did succeed in having the 
breach-of-contract claims dismissed, on the ground that the promises it made on its 
website's “privacy statement” and in certain mailings to customers, regarding customer 
privacy, were not actually part of a contracf wifh cusfomers. On fhe ofher hand, fhe 
courf refused to dismiss a separate cause of action, under California stafe law, for 
decepfive advertising. 

o Having failed fo gef fhe whole case dismissed, Anfhem eventually settled. Read about it 
here . What did the piaintitts receive? What did the piaintitt's attorneys receive? How do 
you teei about this resuit? Also read this more-recent notice about the settlement, 
o By this point, you surely are asking yourself: Didn't the regulators from last week also get in 
on the Anthem action? Of course they did! 

o Because Anthem was in the insurance business, a California sfate insurance 

regulatory agency conducted an investigation. The summary of ifs reporf is quite 
interesting. Read the summary here, is this inconsistent with the civii iitigation resuit? 
it so, is that o poiicy probiem and what might be done about it? 

o As for the FTC: It did not get involved. But because Anthem was involved in health 
matters, another federal agency did: fhe Department of Health and Human Services 
(“HHS”). For a quick glance at HHS's role in this space, read this . 

D. Liability for Inadequate Disclosure of a Data Breach 

• The possibility of being sued for inadequate care, failing to live up to a promise, or 

deceptive advertising all loom large when a company learns that it has been breached 
and that customer or user data has been exposed. And that in turn creates an incentive 
for fhe company leadership to proceed very carefully—and fhus very slowly—in letting 
anyone know that the breach has occurred. But there is a powerful consideration 
pushing in the exact opposite direction: all states have laws compelling companies to 
disclose such breaches, and to do so rapidly. Can you summarize the competing pubiic- 
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policy interests implicated by such laws, and how you assess the balance between 
them? 

• Needless to say, we are not going to look at all the different state breach-disclosure laws. 
Instead, we'll look at Texas law as an example. Read Texas Business and Commerce 
Code Section 521.053fb) . 

o How certain must the entity be that a breach occurred? 
o Precisely how quickly must the disclosure be made as a detault matter? 
o How does section 521.053(d) potentially change that timeline? 

o The Texas Attorney General is responsible for filing civil suits to enforce Section 
521.053, but note that a Section 521.053 violation may also constitute a deceptive 
act for purposes of a private civil suit under the Texas Deceptive Trade Practices Act. 

• As you might imagine, the patchwork quilt of disclosure laws around the various states 
(as well as some cities) has led some to argue for Congress to impose a uniform national 
approach. What are the pros and cons? 

• Don't forget: some companies will be subject to foreign jurisdictions as well, and these 
may be more demanding than American disclosure requirements. The European Union's 
much-discussed “General Data Protection Regulation” (“GDPR”) is a particularly- 
significant example you should be aware of (though we are not studying its particular 
requirements in this class). 

E. Shareholder Derivative Actions 

• Recall that in our generic scenario above, we noted the possibility that Company B has 
shareholders who might sue it, assuming share prices dropped once the breach became 
public. Such “shareholder derivative actions” arise frequently with publicly-traded 
companies, when those companies experience any sort of significant reversal that might be 
attributed to bad decision-making by the company's officers or board of directors. Read this 
article for a fine overview of how such suits hove fared in some of the most well-known doto- 
breoch cases. 

F. Insurance 

• In any context in which entities and individuals can anticipate suffering a loss—whether the 
loss be from damage to possessions or person, or from at least some forms of legal liability— 
there is a strong incentive to protect against the anticipated loss by purchasing an insurance 
policy. Because insurers usually (though definitely not always) are at liberty to determine 
which sorts of risks they will insure against, and subject to which conditions, the insurance 
industry in general is in a powerful position to nudge or even compel certain behaviors (just 
think of the incentives for safe driving that car insurance does or might generate). And thus 
insurance has an important role to play in relation to the general challenge of encouraging 
potential victim's to engage in better defense. For a handy and accessible (and brief) 
introduction to the emerging cybersecurity insurance market, read this fesfimony from a 
leading insurance executive before a Congressional hearing in July 2017. 


13. October 17 Pruning Disincentives and Leveraging Purchasing Power 

14. October 18 Same 


A. What Do We Mean by “Pruning” and Where Does It Matter for Cybersecurity? 

• In some situations, an entity might be willing (perhaps even eager) to pursue some particular 
security measure, but is deterred from doing so by the potential applicability of a legal 
constraint (criminal, civil liability, regulatory pressure, etc.). In such circumstances, “pruning” 
the law to remove that perceived constraint might be an effective means of incentivizing 
better security; think of it as addition-by-subtraction. The trick, of course, is that the law in 
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question likely serves a competing interest, and hence potential security gains might come 
at a significant cost to other worthy values. 

• One area in which pruning might help, for cybersecurify purposes, involves information¬ 
sharing. 

B. What Sort of Information Might Be Shared? 

• We are concerned here with what I will call “threat intelligence,” but be sure to appreciate 
that this is a term of convenience rather than a term of art with well-settled meaning and 
scope. That said, what does it encompass? At a minimum, it includes “Indicators of 
Compromise” (aka “lOCs”). IOC is a shorthand for the idea that there are technical 
signatures and other tells that reveal unauthorized activity. This could be the “signature” for 
known exploifs, or fhe URL of a known bofnet command-and-control server, etc. Sometimes 
you'll see the phrase “threat indicator” used for this type of infelligence. But “threat 
intelligence” for af least some people has a broader scope, and might encompass other 
useful informafion, both of a fechnical variety (for example, defails abouf a newly- 
discovered vulnerabilify or patch) and otherwise (for example, information about the 
capabilities, motives, intentions, or characteristic tactics, techniques, and procedures of 
potentially-hostile entifies or individuals). Be able to define and apply these categories. 

• Rapid dissemination of technical threat intelligence (lOCs, new vulns, and patches) is critical. 
It's just like ensuring widespread and rapid uptake of a vaccine. Understand how 
cybersecurity is, in this sense, akin to a public health issue. 

• Be alerf to the possibility of miscommunicafion when someone makes a general reference fo 
information sharing, and specifically for fhe possibilify of confusion regarding what subtypes 
of information is in issue. 

C. Why is Information-Sharing Difficult, in Theory? 

• Information sharing can be government-to-government, government-to-private, private-to- 
government, and private-to-private. Each presents its own challenges, and overall there is a 
question here about why we might not get sufficient sharing without government 
intervention. Why would one government entity be reluctant to shore information with 
another, within our own government or across governments? Why would the government be 
reluctant to share with the private sector, and vice-versa? Why might one private entity resist 
sharing with another? And do your answers depend on which subtype of “threat 
intelligence” is at issue? 

D. Pruning and Facilitafing: The Cybersecurify Informafion Sharing Act of 2015 

• In 2015, Congress passed and President Obama signed a bill that included the 
“Cybersecurify Information Sharing Act of 2015” (generally known as “CISA”). The full text of 
that bill is here , but don't read the whole thing. Instead, look at specific provisions within it as 
follows: 

o Section 103: What exactly does this section oblige DNI, DHS, DOD, and DOJ to do in 
relation to information-shoring? 

o Section 104(c): What legal limitation(s) does 104(c)(1) overcome? What is the point of the 
caveat in 104(c)(2)? And why include the language in 104(c)(3)? 
o Section 104(d) (1) and (2): What burden does (d)(1 ) create, and can you relate this to any 
of the existing duties/burdens we studied the prior two classes? What obligation does 
(d)(2) impose? 

o Section 104(e): Why was this provision necessary? 

o Section 105: This one is long. Review it carefully to decide what its most important 
functions ore. Then read this document to understand how the agencies hove 
responded to section 105. Does this leave you with any concerns? 
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o Section 106: What legal obstacles does this section prune? Does it go too tar, not enough, 
or just tar enough? 

o Section 108(i) and (k): What are the ettects ot these provisions? 
o Does this likely address all potentially-signiticant legal hurdles to sharing? 

E. A Closer Look at Whether and How Information-Sharing Occurs 

• Read this paper from Elaine Sedenberg and James Dempsey. 

• What is the purpose ot on ISAC? And how is an ISAO ditterent? Go online and see if you can 
locate examples of each; what do they appear to do? 

• Con you identity other entities or arrangements that tacilitate intormation sharing? 

• What are the pros and cons ot this diverse “ecoysystem”? 

• Do the authors find CISA’s pruning usetui? Why or why not, and ore you convinced? 

• What other lessons do you glean trom this paper? 

F. Better Security By Leveraging Government Contracting/Purchasing Power 

• Before we move on, let’s pause to note another significant tool that the government 
sometimes can wield to compel potential breach victims to improve their cybersecurity: 
putting demands for such improvements into the terms of significant government contracts. 

• Con you see how this is analogous to the leverage wielded by insurers? 

• Here’s an example involving an attempt by the government to leverage contracting power 
to keep certain private entities from using the antivirus products and other services of 
Kaspersky Lab (a Russia-based AV vendor that once had a substantial share of the US 
market, and still has a large global presence). Can you identity limits to the utility ot this 
approach, based on this example? What are the pros and cons? 


15. October 24 Getting the Government to Protect Itself Better 

16. October 25 same 


In recent classes we have surveyed the set of tools that can be used to incentivize private sector 
entities to adopt stronger security measures. But what about the government’s own security 
practices? How do we get it to defend better? 

The “government,” of course, is not an “it.” The word “government” encompasses a vast array 
of distinct enterprises, any one of which may operate any number of separate networks, 
databases, etc. Even if we limit our focus to the U.S. government (leaving aside states, counties, 
cities, tribal governments, territorial governments, and so forth), the number of relevant actors is 
bewildering. Like the private sector, these entities have internal incentives to maintain the 
security and functionality of their systems (for example, the SEC does not want people to access 
private information and thus enable market manipulation, just as NSA does not want Russia to be 
able to learn its techniques and capabilities). But also like the private sector, we have ample 
reason to believe that, if left to their own devices, many if not most government entities would 
not—or perhaps could not—invest as much in security as they should. And so, again like the 
private sector, we need tools to compel these entities to try harder. 

Our goal in this class is to understand the basic elements of those tools: what they are, who is in 
charge of them, and how they came about as a historical matter. But before we dive into all of 
this, let’s make the subject concrete with a quick glance at a particularly-painful infosec failure 
for the federal government: the 2015 Office of Personnel Management (“OPM”) hack. 

A. The 2015 PPM hack as a case study 
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• The most well-known data breach involving a U.S. government system involves the hugely- 
successful operation in which Chinese hackers breached security at the Office of Personnel 
Managemenf and thereby acquired a vast trove of securify-clearance background check 
files. We could spend days and days learning the details of what occurred here, especially if 
I had you read fhe 241-page report that resulted from fhe Congressional invesfigation info 
this episode. But our aim here is limited, and so instead just read this article in order to answer 
these questions: 

o When we ask “how the attack” happened, one can answer either by explaining which 
vulnerabilities were exploited or by referencing larger facfors fhaf mighf explain why both 
the vulnerability and the exploitation went undetected for so long. Lef’s consider bofh 
fhose quesfions. 

o As a technical matter: how did intruders gain access to OPM’s system, and—perhaps 
more importantly—what factors explain their ability to then move about within and 
extract data from the system? 

o In terms of the larger factors that made this possible: Con you imagine factors (such 
as expertise, management, bureaucracy, budget, legal requirements, policy 
requirements, culture, personality, and so forth) that might explain why the technical 
failings were possible? 

o If you were called upon to “fix” these large factors in the aftermath of this episode— 
and thereby hopefully reduce the chances for a repeat—what might each fix entail? 
And what considerations might make a particular fix difficult to implement? 

o As long os we hove this cose study cued up, let's use it for a quick review: 

o Can you categorize the OPM hack using the typology of government actions we 
reviewed earlier in the course? 

o In light of that categorization and drawing on our prior discussions of US-China 
relations, how should the U.S. government hove responded? Think of three specific 
potentiai actions, and iist pros and cons for each. 

B. Incentivizinq improved qovernment security: Does litiqation risk help? 

• As we sow previously, one way to encourage defensive improvements is to increase the 
extent to which entities perceive that they are exposed to litigation risk for potentially- 
inadequate security. It works with private sector entities. Can it work with the government 
itself too? In theory, sure. But as things currently stand, government agencies do not face 
significant exposure as a practical matter. 

• First, note that government agencies do not have to worry about getting sued by...other 
government agencies. The FTC, state attorney general offices, and the like may loom large 
for private businesses, but they do not haul their fellow government agencies into court (let 
alone into their internal enforcement systems. And, similarly, government agencies typically 
does not have to concern themselves with what insurers think. 

• What does that leave, from a litigation-risk perspective? Government entities do face the 
possibility of suits brought by private plaintiffs. But such suits have a bad track record. Our 
goal now is to understand why. 

• The first problem is “sovereign immunity.” Unlike a private entity, federal and state 
government entities cannot be hauled into its own courts involuntarily; as sovereigns, they 
can only be sued if they have consented. 

• Does that ever happen? Yes, in fact it is common. Both federal and state laws are full of 
examples of statutes expressly waiving immunity as to certain types of claims. The question 
for us is: Do any of them apply in a setting where the government entity had poor 
cybersecurity? There are some that mighf, but in practice they've not yet proven to have 
much bite in the cybersecurity setting. 

• The most well-known statute of this kind at the federal level is the Federal Tort Claims Act. It 
waives immunity where a person suffers personal injury, property damage, or death as a 





25 


result of wrongful or negligent conduct by a government official. Most states (including 
Texas) have something similar on the books. It is difficult to use these laws to sue successfully 
for damages relating to a data breach, however, in light of the injury requirement. 

• Other possibilities plaintiffs have tried include the Privacy Act and the Little Tucker Act 
(seriously, that's its name). Again, though, the track record is dismal. Both those statutes 
(along with several others) are central to a lawsuit filed in the wake of fhe massive Office of 
Personnel Management (“OPM”) hack (involving the theft of securify-clearance 
background check data). The case, known as In re U.S. Office of Personnel Managemenf 
Dafa Securify Breach Lifigafion, is going poorly for the plaintiffs. In September 201 7, in a 
ruling that currently is under appeal, the district judge granted the government's motion to 
dismiss all claims, including claims under those two statutes, explaining: 

o The Privacy Act (5 USC 552a): The Privacy Act is meant to regulate how government 
agencies manage their records, with an eye towards protecting the privacy of 
individuals in a way that is compatible with the need for agencies to make use of such 
informafion for proper purposes. Among ofher things, the Privacy Act authorizes private 
suits for sifuafions in which an agency willfully or intentionally fails to adhere to Privacy 
Act rules and, as a result, the plaintiff suffers actual economic/pecuniary damage. The 
district court concluded that most of the plaintiffs in this case had alleged no such 
damages, and as for the two who did allege such harm (in the form of alleged identity 
theft) the allegations failed to link the harm to OPM's data breach, 
o The Little Tucker Act (28 USC 1346): This statute is analogous to the Federal Tort Claims 
Act, but instead of permitting tort suits against the government it permits breach-of- 
contract actions. The plaintiffs suggested that the government implicitly (or perhaps 
even expressly) contracted with them to protect the data provided during the 
background-check process. The district court concluded, however, that there was no 
relevant contract between the government and the individuals whose data was 
exposed in the OPM hack. 

o Should Congress adjust one or more of these laws in order to approve the prospects for 
private litigants challenging government agency security practices? 
o Even if it does so, is it clear that the increased exposure would impact agency 
decisionmaking in a manner similar to the way that litigation risk may impact the 
decisionmaking of private entities? 

C. Directly Requiring Better Securify: The Role of Government Self-Regulafion 

• It may be that litigation risk is never going to play a major role in encouraging government 
agencies to try harder, but there are other tools in the toolkit. The one that looms largest with 
respect to the government's own cybersecurity is self-regulation. 

• Note that we previously observed that the private sector likely would not pursue security 
aggressively enough if every private entity was left to its own devices. Why should we 
expect self-regulation to be more impactful when it comes to public-sector entities? Flint: 
Remember that the government is a “they” and not an “it,” meaning that there are many 
different entities in complex relation with one another in “the government”—and “self- 
regulation” in this context accordingly might better be described os “cross-governmental 
regulation.” 

• Our goal now is to understand the most significant current sources of government self¬ 
regulation, seen in historical perspective. More specifically, let's look at the government-wide 
policies that have been imposed both by statute and by executive order. 

• Let's start (somewhat arbitrarily) in 1996, during the Clinton administration. A statute passed 
that year tasked the Secretary of Commerce with establishing information-security standards 
that the rest of the government would henceforth have to follow (well, not everyone; 
defense and intelligence agencies were left to follow their own rules in this respect). The 
statute specified that the Secretary should base his or her directives on the standards and 
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guidelines developed by the Commerce Department's National Institute of Standards and 
Technology (better known as “NIST”), which is a deeply-respected technical organization. 

• Fast-forward six years, to the early years of the George W. Bush administration. In 2002, 
Congress passed the Federal Information Systems Management Act of 2002 (“FISMA,” 
pronounced “fiz-muh”). FISMA updated the 1996 law, shifting the standard-setting role from 
Commerce to the White Flouse's Office of Management and Budget (OMB) while also 
clarifying that OMB would not just set standards but also would review agency compliance 
with those standards on at least an annual basis. 

• Significantly, FISMA 2002 also directed the creation of an “information security incident 
center” that would both provide expert advice (including in the face of an unfolding 
emergency) and funcfion as a threat intelligence hub (collecting and analyzing information. 
This eventually became US-CERT (“Computer Emergency Response Team”), which today is 
housed within DEIS. This was not a matter of improved-defense via self-regulation, of course, 
buf rather one of improved-defense via capacify-building. 

• After another six years, in 2008, President Bush issued National Security Presidential Directive 
54/Flomeland Security Presidential Directive 23. NSPD 54/FISPD 23 called for DEIS (fhen sfill a 
relatively-new agency, as it was created by legislation in 2004) to play the lead role in 
protecting federal networks. Among other things, it directed DEIS to act through US-CERT to 
monitor and protect all “external access points” associated with federal governmenf 
sysfems, and to provide intrusion detection, incident analysis, and other capabilities. Again, 
this was not a matter of self-regulation, but rather one of capacity-building. 

o DEIS responded to this assignment by, among other things, developing and deploying an 
intrusion-detection system labeled “Einstein.” Flere is an account of Einsfein versions 2 
and 3 from a few years ago(full source here , buf jusf read the excerpt below): 

• ...DEIS is deploying, as part of its EINSTEIN 2 activities, signature-based sensors capable of 
inspecting Internet traffic entering Federal systems for unaufhorized accesses and malicious 
content. The EINSTEIN 2 capability enables analysis of nefwork flow information to identify potential 
malicious activity while conducting automatic full packet inspection of traffic entering or exiting 
U.S. Government networks for malicious activity using signature-based intrusion detection 
technology. ... EINSTEIN 2 is capable of alerting US-CERT in real time to the presence of malicious 
or pofentially harmful activity in federal nefwork traffic and provides correlation and visualization 
of the derived data. [Meanwhile, DEIS is developing a new system], called EINSTEIN 3, [that] will 
draw on commercial technology and specialized government technology to conduct real-time 
full packet inspection and threat-based decision-making on network traffic entering or leaving 
these Executive Branch networks.... The EINSTEIN 3 system will also support enhanced information 
sharing by US-CERT with Federal Departments and Agencies by giving DEIS the ability to automate 
alerting of defecfed network intrusion attempts and, when deemed necessary by DEIS, to send 
alerts that do not contain the content of communicafions fo the National Security Agency (NSA) 
so that DEIS efforts may be supported by NSA exercising its lawfully aufhorized missions.... DEIS will 
be able to adapt threat signatures determined by NSA in the course of its foreign intelligence and 
DoD information assurance missions for use in the EINSTEIN 3 system in support of DEIS’s federal 
sysfem security mission. Information sharing on cyber intrusions will be conducted in accordance 
with the laws and oversight for activities related to homeland security, intelligence, and defense in 
order to protect the privacy and rights of U.S. cifizens. 

• In 2010, during fhe Obama administrafion, OMB formally delegated to DEIS the oversight role 
FISMA 2002 hod given it, but OMB kept its statutory function promulgating NIST-bosed 
standards for agencies to follow. 

• In 2014, Congress confirmed fhis division of labor between OMB and DHS, through on 
updated version of FISMA (“FISMA 2014”). FISMA 2014 also enhanced DHS’s oufhority in a 
key respect. In addition to having lead responsibility for monitoring agency compliance with 
OMB rules, DEIS now also has the ability to issue “binding operational directives” requiring 
agencies to take some particular step. 

• The DHS-based organization responsible for both cybersecurity and critical infrastructure 
protection (encompassing NCCIC and US-CERT, among other things) used fo be known by 
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the aggressively non-descripf name the National Programs and Policies Directorate (i.e., 
NPPD). Thanks to new legislation in November 2018, NPPD has a more-fitting name: the 
Cybersecurity and Infrastructure Security Agency (that is, “CISA”; this is, unfortunately, the 
same acronym as the 2015 information-sharing and liability-pruning statute we studied 
previously). Think of CISA as the bureaucratic equivalent of FEMA: a unified, mission-defined 
component under the overarching management of DHS. This statutory improvement in the 
bureaucratic optics of the organization does not entail formal change to CISA’s authority, 
yet the move nonetheless is expected by some to increase the stature and influence of CISA 
(and its Director) in informal ways. 

• As a matter ot institutional design, does this arrangement moke sense to you? 

• Does any ot this change your view regarding lessons to be learned trom the OPM tiosco? 

• In May 2017, President Trump issued an executive order addressing federal agency 
cybersecurity, as well as other matters. Read ONLY section 1 ot the order, here . 

o Can you describe what, speciticolly, is new about this (hint: con you explain what 
“accepted risk” means?) 


C, After the Fail: Managing Consequences 

Even if we have sfrong incenfives for pofenfial vicfims fo fake profecfive measures, and even if 
we impose significonf cosfs on offackers, some successful offacks will occur. Whaf fhen? Time fo 
manage fhe consequences. 

Breaches come in all shapes and sizes. In mosf insfances, fhe consequence-managemenf 
challenge is a moffer of concern primarily fo fhe vicfim enfify ifself (os well as fo fhose persons 
whose dafa may have been exposed). Somefimes, fhough, a breach has wider significance— 
perhaps even calling for involvemenf by fhe U.S. government. 

Our primary aim in this subunit is to consider which situations warrant such involvement, what 
form mighf such involvemenf mighf fake, and how fhe governmenf has organized ifself fo 
answer fhose quesfions when parficulor cases arise. Nexf, we'll conclude Unif I wifh a look af a 
recurring scenario fhof implicafes mosf if nof all of fhe fopics we've considered up fo fhis poinf in 
fhe course: bofnefs. 


17. October 31 Cases of National Significance 

18. November 1 same 


Mosf breaches do nof implicafe fhe nafional inferesf, af leasf nof when considered in isolafion. 
This is cerfainly frue for mosf privafe-secfor cybersecurify incidenfs. Puf anofher way, mosf 
infrusions do nof worronf considerofion of whefher and how fo marshal various insfrumenfs of 
nofionol power in fhe course of managing the response. But some scenarios do warrant exactly 
that sort of response. Which ones counf in fhis way, who decides, and whof follows from such o 
deferminofion? Our goal is fo undersfand how fhe U.S. governmenf gradually has developed an 
approach fo answering fhose quesfions. 

A. Crifical Infrasfrucfure 

• A good place fo begin wifh fhis fopic is fhe concepf of “crifical infrasfrucfure.” Thaf phrase 
copfures fhof idea fhaf our doily lives depend fo no small exfenf on cerfoin porficularly- 
imporfanf sysfems, services, and sfrucfures. As DHS has puf if: “crifical infrasfrucfure provides 
the essential services that underpin American society and serve as the backbone of our 
nafion's economy, securify, and healfh. We know if as fhe power we use in our homes, fhe 
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water we drink, the transportation that moves us, the stores we shop in, and the 
communication systems we rely on to stay in touch with friends and family.” Some of these 
systems are themselves associated directly with cyberspace (for example, various ports of 
our communications architecture). But most concern other things such as health core, 
electricity, sanitation, or transportation. 

• There ore many potential sources of harm to critical infrastructure. Some of these ore 
unintentional, as with accidents, natural disasters, and simple weor-and-tear accumulating 
with the passage of time. Others are purposeful, however, as seen with both physical forms 
of attack and also disruption achieved through cyber means. Our concern, of course, is 
harm to critical infrastructure achieved via cyber means. More specifically, we want to 
understand the policy and legal issues associated with minimizing such harm. The ideal way 
to minimize harm is to prevent it from occurring in the first place. Much of the course up to 
this point has been concerned with exactly that. Another important part of harm 
minimization, though, involves optimizing systems for rapid mitigation of harm once it does 
occur. 

• If all critical infrastructure was in the hands of the government, it would be relatively clear 
how to go about organizing incident response with on eye towards harm minimization. Most 
critical infrastructure is not in the government's hands, however; for the most part it is owned 
by private entities. This significantly complicates matters. For systems that are owned by 
private entities, prevention and mitigation of harm at least in the first instance is the 
responsibility of the owner. Still, given the high stakes theoretically involved with critical 
infrastructure, it makes sense that there might also be some degree of involvement from 
some government entity. And, os it happens, the federal government for many decades has 
been developing its procedures for determining its role in such situations. 

B. Developing a Critical Infrastructure Strategy During the Obomo Years 

• Both the Clinton and George W. Bush administrations were aware of this concern, and took 
o variety of important initial steps in response to it. Having said that, our study of this topic will 
jump into the sequence of developments circa 2013, with a pair of actions by the Obama 
administration. 

1. Executive Order 13636 - EO 13636 is not primarily about consequence management (it 
mostly focuses on encouraging improvements to defense), but it does address the topic 
to a small extent. 

o Section 7: This section directs the National Institute of Standards and Technology 
(“NIST”) to create a “Cybersecurity Framework” meant to help critical infrastructure 
owners minimize their cyber risk. NIST published the first version of the Framework in 
February 2014, and then published an updated version in April 2018. The following 
language from the original 2014 version explains what the Framework does—and 
does not—aspire to do: 


“The Framework uses risk management processes to enable organizations to 
inform and prioritize decisions regarding cybersecurity. It supports recurring risk 
assessments and validation of business drivers to help organizations select target 
states for cybersecurity activities that reflect desired outcomes. Thus, the 
Framework gives organizations the ability to dynamically select and direct 
improvement in cybersecurity risk management.... The Framework provides a 
common language for understanding, managing, and expressing cybersecurity risk 
both internally and externally. It can be used to help identify and prioritize actions 
for reducing cybersecurity risk, and it is a tool for aligning policy, business, and 
technological approaches to managing that risk. ... The Core is not a checklist of 
actions to perform....” 
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The NIST Framework thus is a template for an organization to engage thoroughly in 
assessment and management of cybersecurify risk. The graphic below illusfrates the 
range of activities it encompasses in o sequential way. Which parts, if any, concern 
consequence management? 
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PROTECT 

DETECT 

RESPOND 

RECOVER 

► Asset management 

> Access control 

’ Anomalies and 
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o Section 8: Next, read Section 8fa) and answer these questions: 

o Does the Executive Order purport to make private sector criticai infrastructure 
owners iegoiiy obiigated to adopt and adhere to the Cybersecurity Framework? 
o Should it do so? 

o Wouid it work, iegoiiy, to create such an obiigation via Executive Order? 
o Does the existence of the Framework nonetheiess cost a iegai shadow of sorts, 
one that might at ieost create incentives for Ci owners? 
o Using fhat same link above, read Section 8(e). Does this suggest to you another 
way the government couid compei compiionce with the NiST Framework? 
o Why do you suppose the government did not take a more-prescriptive approach 
to compeiiing improvements to private-sector prevention-and-mitigation efforts 
reiating to criticai infrastructure? 

o Sections 9 and 10: Read Sections 9 and 10 . Section 9 colls for the government to 
identify a subset of critical infrastructure entities. What is the purpose of this 
subcategory, what is its iabei, and what is the standard to determine which entities 
faii within it? Section 10 directs those federal agencies that happen to hove 
regulatory authority over entities within this subset (for example, the Department of 
Energy would hove authority to regulate o nuclear power plant) to review the 
sufficiency of their regulations as they might pertain to cybersecurity. Section 10 adds 
that if on agency concludes it needs greater regulatory authority in the area of 
cybersecurity, it should say so. It also requires agencies to report on the possibility of 
over-intrusive regulations. How might this heip both prevention and mitigation? Finally, 
notice this from Section 12 of EO 13636: “Nothing in this order shall be construed to 
provide an agency with authority for regulating the security of critical infrastructure in 
addition to or to a greater extent than the authority the agency has under existing 
low.” What might expiain the inciusion of this ianguage, and does that expianation 
heip you expiain in turn why EO 13636 is not more prescriptive? 

2. PPD-21 - On the same day that President Obama issued EO 13636, he also issued 

Presidential Policy Directive 21 (“PPD-21 ”) (it is available here if you are curious, but you 
do not need to read it). Among other things, PPD-21 identified 16 critical-infrastructure 
“sectors” of the American economy, pointing out for each sector which federal agency 
normally shall play a leading role (the “sector-specific agency,” or “SSA”). PPD-21 directs 
the Secretary of Flomeland Security to update the list periodically, 
o PPD-21 borrows from a statute (42 USC 5195c if you are curious) to define “critical 
infrastructure” to encompass “systems and assets, whether physical or virtual, so vital 
to the United States that the incapacity or destruction of such systems and assets 
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would have a debilitating impact on security, national economic security, national 
public health or safety, or any combination of those matters.” Are you satisfied by this 
definition? 

o Review the current list of 16 sectors fhaf count as Cl. Do you agree with aii the sectors 
inciuded here? Anything missing? 

o Just prior to the inauguration of Presidenf Trump in January 2017, DHS Secretary Jeh 
Johnson added ejection systems to the Cl list for the first time. Do you see ianguage 
in his statement suggesting a feit need to downpiay this decision? What might 
account for that? What factors did Secretary Johnson cite in order to ameiiorate 
possibie objections to this step? Does your answer to that question give you reason to 
doubt whether the criticai-infrastructure designation has enough significance? 

o Does Hollywood belong on fhis lisf? Recall fhaf Norfh Korea several years ago 
engaged in a massive hack of Sony Picfures Enterfainmenf, to punish Sony for 
producing the “comedy” The Interview. Was that best understood as an attack on 
America's critical infrastructure? Go to the DHS page listing the 16 sectors, and click 
on the link for the Commercial Facilities sector. From there, navigate to the “Sector- 
Specific Plan,” and use that document to answer this question: Does DHS think that 
the Sony Hack was an attack on criticai infrastructure? Next, refer back to PPD-21 's 
definition of critical infrastructure. Does the Commerciai Faciiities sector-specific pian 
seem to stay within the bounds of the PPD-21 definition? 

• Neither EO 13636 nor PPD-21 attempted to spell out how the executive branch should 
handle coordination, deconfliction, and other matters in the event of a private-sector 
cybersecurity incident that arguably warranted some form of federal intervention. But a 
subsequent PPD in 2016— PPD-41, titled “United States Cyber Incident Coordination —took up 
this task. Using that iink, read the sections noted beiow in order to answer these questions: 

o Section II 

o What is the difference between a “cyber incident” and a “significant cyber incident?” 

o Why draw that distinction? 

o Ponder the definition of “significant cyber incident.” is it sufficientiy ciear so as to 
yieid predictabie answers as to which incidents faii into that category? 

o Section IV 

o Can you expiain the difference between and among “threat response,” “asset 
response,” and “inteiiigence support/reiated activities”? 

o in practicai terms, what specific forms of federai government invoivement does 
Section iV suggest wiii occur with run-of-the-miii cyber incidents? 
o Section V - This section applies only to “significant cyber incidents.” 

o What is the difference between the Cyber Response Group and the Cyber Unified 
Coordination Group? Read Section ii.A. of a separate document—the “Annex” to 
PPD-41 —to understand who sits on the CRG and what it shouid do. Then read Section 
ii.B of the Annex to understand more about the Cyber UCG concept. 

o Why do we need either of these in reiation to “significant cyber incidents,” but not 
run-of-the-miii “cyber incidents”? 

o in Section V(c), certain responsibiiities are piaced on the FBi (in coordination with the 
Nationai Cyber investigative Joint Task Force organization, which FBi ieads), DHS (in 
the form of CiSA's NCCiC unit), and the Office of the Director of Nationai inteiiigence 
(through its CTiiC). How if at aii is this different from what wouid occur if an event was 
mereiy a “cyber incident”? 

• The National Cyber Incident Response Plan —The last part of the Annex to PPD-41 directed 
DHS to work with others to create o “notional cyber incident response plan” within six 
months. In December 2016, DHS accordingly published The National Cyber Incident 
Response Plan. The full version is available here, but don’t read the whole thing (unless you 
want to!). I’m only interested in having you read the section on “Operational Coordination 
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During a Significant Cyber incident,” which starts on p. 29 and ends on p. 35, pius Annex B on 
p.38. 

o The NCIRP sheds additional light on when an incident counts as “significant.” How so, 

and did you find this usefui? 

o You have seen how both PPD-41 and the NCIRP empower certain entities to take o 
lead role in terms of fhreaf, assef, and infelligence response. Wouid you odd or 

subtract anything from this arrangement, and if so wouid you moke that change as to 
oii significant cyber incidents or oniy upon satisfaction of certain conditions? Thof's 
onofher way of asking: Do we need further gradations of severity in order to enobie 
different defouit ruies for ieod agency responsibiiity and mandatory decision-making 
and coordinating processes? Or is this the sort of question that does not—and 
perhaps shouid not—be reduced to cieor ruies in advance? 

C. The 2017 Executive Order from fhe Trump Adminisfrafion 

• In May 2017, Presidenf Trump issued Executive Order 13800 (“Strengthening the Cybersecurity 
of Federoi Networks and Criticai infrastructure”). In an earlier class we read porfions of if 
dealing wifh fhe fask of improving fhe securify of federal sysfems. Now we look af whaf if has 
to say about protection of Cl. Read the foiiowing subparts of Section 2 of EO 13800, and 

consider the following questions: 

o Section 2(b) —This subsection gave DHS six months to investigate the prospects for the 
federal government to do more in relation to protecting the Cl entities identified under 
“Section 9” of EO 13636 (Feb. 2013) (see above to remind yourself what that means). 

What do you suppose the drafters had in mind here as o possibiiity, and what obstocies 
might arise if the government pursues that course? 
o Section 2(c) —This subsection colls for study of “market transparency of cybersecurity risk 
management practices by” Cl entities, especially the public-traded ones. What is this 
about, and how might pressure in this area heip spur better security practices? 

D. Why not just hove government directly prevent and mitigate attacks on these systems? 

• Have you noticed that none of the documents reviewed above has attempted to address 
cyber threats to critical infrastructure by having o government entity—the NSA, CYBERCOM, 
etc.—actually take direct responsibility for monitoring networks and performing security 
functions directly on behalf of private entities. List the pros and cons of empowering NSA or 
other government entities to take on such a roie. 

• Note that there is no reason to think DOD affirmatively seeks such o mission. Consider this 
excerpt from the written testimony of o Defense Department official, before the Senate 
Armed Services Committee, in October 2017: 


STATEMENT OE MR. KENNETH RAPUANO 

ASSISTANT SEC. OE DEE. EOR HOMEEAND DEEENSE & GLOBAL SECURITY 

TESTIMONY BEEORE THE SENATE ARMED SERVICES COMMITTEE 
OCTOBER 19, 2017 

.. .Although DoD has built capacity and unique capabilities, for a number of reasons, I 
would caution against ending the current framework and against reassigning more 
responsibility for incident response to the Department of Defense. 

Eirst, DoD’s primary mission is to provide the military forces needed to deter war and to 
be prepared to defend the country should deterrence fail, which requires us to be prepared 
at all times to do so. DoD is the only department or agency charged with this mission. 
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and success in this requires the Department’s eomplete foeus. In this ease, any signifieant 
realignment of roles and responsibilities will have opportunity costs, including absorptive 
capaeity to build mission eapability in a new area, especially ones that eould distract the 
Department from its core warfighting missions. 

Second, the United States has a long normative and legal tradition limiting the role of the 
military in domestic affairs. This strict separation of the eivilian and the military is one of 
the hallmarks of our democraey and was established to proteet its institutions. 

Designating DoD as the lead for the domestie eyber mission risks upsetting this 
traditional eivil-military balance. 

Third, a primary eivil relianee on DoD in the steady-state would result in inereased 
demands that could not be met without significant changes in resource allocation. We 
would expeet even greater demand in a eonfiiet scenario, when there might be a natural 
tension in the need to preserve DoD mission eapabilities and requests for support to 
eivilian ageneies. Even with sueh a change in resource alloeation, the addition of a new 
mission would likely detract from the foeus on and readiness for the warfighting mission. 

Finally, putting DoD in a lead role for eyber ineidents ereates an exception to aecepted 
domestie response praetiee in all other domains, whieh would disrupt our efforts to 
establish and maintain unity of effort. Civilian agencies have the lead responsibility for 
domestic emergency response efforts; this should not be different for cyber ineidents. The 
Federal Government should maintain a common approach to all national emergencies, 
whether they are natural disasters or cyberattaeks. 


• Is there a “third way” alternative? Consider this concept, advanced by then-Deputy 
Secretary of Defense William Lynn in a speech in 2010 : 


“Years of eoneerted investments on the military side have placed critical cyber 
eapabilities within the Defense Department and National Seeurity Agency. We are 
already using our technical capabilities to support DHS in developing the Einstein 2 and 
3 programs to protect government networks. We need to think imaginatively about how 
this technology can also help secure a space on the Internet for critical government and 
eommercial applieations. 

For the .eom world, eould we ereate a seeure arehitecture for that lets private parties opt- 
in to the proteetions afforded by aetive defenses? In this way protection would be 
voluntary. Operators of critical infrastructure eould opt-in to a government-sponsored 
security regime. Individual users who do not want to enroll could stay in the "wild wild 
West" of the unproteeted Internet. This type of seeure.eom approach could build on the 
collaboration between DoD and the defense industry. It could offer an important gateway 
to ensure our nation's eritical infrastructure is proteeted from cyber attacks.” 


• What are the pros and cons ot this biturcoted model? 
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II. THE OFFENSIVE PERSPECTIVE 

We've been defense-focused for many weeks now. That is, we've surveyed the institutions, laws, 
and policies intended to deter, prevent, and mitigate the consequences of unauthorized 
access. For better or worse, however, defense is not always the overarching policy goal. In the 
U.S. system, some institutions, laws, and policies promote (or at least tolerate) offense —that is, 
efforts to penetrate or interfere with a system without its owners authorization (or, perhaps, 
awareness). For the sake of convenience, we might call this lawful-but-unauthorized access 
(meaning lawful from a U.S. perspective; needless to say, such activity may well violate the laws 
of other countries when they occur overseas). 

You will note immediately, I hope, that the very idea that this category exists is in considerable 
tension with the policy goals advanced by, well, pretty much everything we studied in Unit 
I. Why, then, should there even be such a category? We will explore that question across 
several contexts. 

To a substantial extent, lawful-but-unauthorized access frameworks rest on the counterintuitive 
claim that it can, in the right circumstances, promote security. We see this, for example, in the 
arguments advanced by those who advocate empowering the private sector to respond to an 
attack with self-help measures that will have effect outside their own networks (that is, effects on 
the attacker's network, or more likely effects on intermediary networks through which an attack 
was routed). That's the “hack back” scenario, and we will focus on it first. 

But the case for lawful-but-unauthorized access does not have to rest entirely on that ground. In 
most cases, in fact, lawful-but-unauthorized access is intended to promote other values. We see 
this with law enforcement investigations, collection of foreign intelligence (that is, espionage), 
promotion of U.S. foreign policy or military goals via covert action, and military action both 
above and below the threshold of armed conflict. We will survey each of those scenarios, with 
an emphasis on the key institutions, policy conflicts, and legal framworks. 


19, November 7 - Should We Allow the Private Sector to Hack Back? 


Are there circumstances in which we want someone in the private sector to be able to access 
another's system without their permission? We just completed a long unit focused on how the 
United States discourages that sort of thing, so the idea of encouraging it at first blush seems 
jarring. As we will see this, however, there is a context in which some believe that the rules 
currently allow—or, if not, should be changed to allow—precisely this result. 

A. Why does this question arise? A hypothetical scenario to give us a frame of reference 

• Assume an OPM-like scenario involving a private sector entity, which we will call Company X. 
The Chief Information Security Officer (“CISO”) of Company X has just notified the CEO and 
the General Counsel that someone has gained unauthorized access to the company's 
network, has accessed sensitive files, has exfiltrated copies of some of these files to some 
external server already, and at this moment appears to be exploring for more such files. 

• You are the CEO. The OISO tells you that she has done some analysis, and is confident about 
a few things. First, she has determined the IP address of the server where the attacker 
appears to have stored the exfiltrated files at least initially. She says that her team very likely 
could cook up some malware of their own in order to access that server, and once inside to 
locate and delete any of the company's files found there. It should also be possible to 
determine who controls the server, including the possibility that it is some innocent third-party 
whose own machine was compromised by the actual attacker in order to serve this staging 
function. In the latter case, the CISO says, it might also be possible to locate the server 
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issuing orders to the compromised intermediate server, and so on until the identity of the 
attacker might become clear. The CISO is ready to make some or all of these attempts right 
now. 

o From a policy perspective, why might it be good to authorize the CISO to carry out some 
or all ot these steps? 
o Why might it be bad? 

o Remember the Computer Fraud and Abuse Act. 

o Do any ot these proposed actions potentially violate the CFAA? 
o Which specitic section(s) ot 18 USC 1030(a) might be violated? 

o It Company X cannot or should not take these steps, are there other entities that might do 
so—and are there obstacles to them doing so ettectively? 

• Second, the CISO has identified the malware on the company's system that gave the 
attacker initial access to the company's system. Predictably, she says, it got there via an 
email phishing attack. You ask who was dumb enough to click on some infected link in an 
email. She coughs and looks at you uncomfortably, mumbling something about how this sort 
of thing could happen to anyone. You realize it was you... Happily, the CISO quickly 
changes the subject, explaining that she can easily remove the malware now. 

o Pros and cons of acting to remove the malware right now? (remember the OPM version 
of that issue) 

o Does removing the malware create exposure under the CFAA? 

• The CISO says there is another option: She could lay a trap for the intruder, generating a file 
designed to be attractive to the attacker but loaded with a hidden beacon. A “beacon,” in 
this context, is a program that will make periodic attempts to contact a control server in 
order to report on the current location of the file in which it is embedded. The CISO explains 
that this would be the digital equivalent of a GPS tracker hidden in a bag of cash stolen from 
a bank. 

o Wisdom of this step? 
o Legality under the CFAA? 

• Now assume that the company decides to pursue an aggressive option, tricking the intruder 
into exfiltrating a file that, when opened, will function as ransomware—/.e., encrypting as 
much of the system as possible while indicating to the system operator whom to contact or 
what other steps to take in order to recover access to their data. 

o Wisdom of this step? 
o Legality under the CFAA? 

B. Statutory Reform—CISA 2015 

• If you are inclined to think that certain forms of hack back may be desirable, but not actually 
allowed under CFAA (or, at least, not sufficiently clearly allowed), you might then consider 
the possibility of a statutory reform. And, indeed, some have pursued just that. 

• First, let's look back to a statute we previously studied in relation to information sharing. 
Remember CISA, the 2015 Cybersecurity Information Sharing Act? Read Section 104(a), 
which appears below in full: 

(a) AUTHORIZATION FOR MONITORING.- 

1. IN GENEfTAL.—Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, monitor— 

A. an information system of such private entity; 

B. an information system of another non-Federal entity, upon the authorization and written consent of such 
other entity; 
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C. an information system of a Federal entity, upon the authorization and written consent of an authorized 
representative of the Federal entity; and (D) information that is stored on, processed by, or transiting an 
information system monitored by the private entity under this paragraph. 

2. CONSTRUCTION.—Nothing in this subsection shall be construed— 

A. to authorize the monitoring of an information system, or the use of any information obtained through such 
monitoring, other than as provided in this title; or 

B. to limit otherwise lawful activity. 

• Consider how this statute might apply to each of the measures recommended by the CISC 
in the hypothetical case of Company X, above. 

o Does Section 104(a)(1) make lawful anything that otherwise would be unlawful? 

Next consider Section 104fbj of CISA, which speaks of certain activities that count as “defensive 
measures” as defined in CISA. Before looking at the text of 104(b), in fact, we should pause to 
look at the statute's definition of “defensive measures.” Here it is, from Section 102(7): 

7. DEFENSIVE MEASURE.- 

A. IN GENERAL.—Except as provided in subparagraph (B), the term “defensive measure” means an action, 
device, procedure, signature, technique, or other measure applied to an information system or information 
that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a 
known or suspected cybersecurity threat or security vulnerability. 

B. EXCLUSION.—The term “defensive measure” does not include a measure that destroys, renders unusable, 
provides unauthorized access to, or substantially harms an information system or information stored on, 
processed by, or transiting such information system not owned by— 

i. the private entity operating the measure; or 

ii. another entity or Federal entity that is authorized to provide consent and has provided consent to that 
private entity for operation of such measure. 

• Now, on to Section 104(b) itself. It reads in full: 

(b) AUTHORIZATION FOR OPERATION OF DEFENSIVE MEASURES.- 

1. IN GENERAL.—Notwithstanding any other provision of law, a private entity may, for cybersecurity purposes, operate a 
defensive measure that is applied to— 

A. an information system of such private entity in order to protect the rights or property of the private entity; 
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B. an information system of another non-Federal entity upon written consent of such entity for operation of 
such defensive measure to protect the rights or property of such entity; and 

C. an information system of a Federal entity upon written consent of an authorized representative of such 
Federal entity for operation of such defensive measure to protect the rights or property of the Federal 
Government. 

2. CONSTRUCTION.—Nothing in this subsection shall be construed— 

A. to authorize the use of a defensive measure other than as provided in this subsection; or 

B. to limit otherwise lawful activity. 

• Taking both Section 102(7) and 104(b) together, let's consider how they might apply to our 
hypothetical CISO suggestions: 

o Does this change the legality ot any ot the hypothetical steps? 

C. Statutory Reform: The “AC/DC" Act? 

• Not surprisingly, CISA was not the lost word on o possible statutory change relating to 
hackback. Last year, two members of Congress introduced a bipartisan bill called the 
Active Cyber Defense Certainty Act (that's right, it's the AC/DC Act; insert puns here!). Read 
it here , focusing on Sections 3 through 6. In class, we will do a close review of these sections, 
with the goal of identifying what they seek to accomplish, whether they succeed, and 
whether the balance of costs and benefits seems worthwhile. 

• Note that the bill has received a frosty reception in some quarters, and has not yet been 
enacted. 


20. November 8 - Hacker Cops? Network Investigative Techniques 

21, November 15 - same 


Are there circumstances in which we want law enforcement officials to have the option of using 
unauthorized access to gather evidence? That is, do we wont there to be situations in which low 
enforcement by law has authority to circumvent the security of a machine or device, without 
the owner/controller's knowledge or permission, in order to gather evidence of crime? And is 
this already possible, at least to some extent, under current low and policy? 

There ore many variables that might impact your analysis of this issue. For example: Is the 
system in question (that is, the one to be breached) physically located in America? Is the target 
of the investigation, or in any event the person whose data is in issue, o US person with Fourth 
Amendment rights? Flow exactly will the breach be effectuated? Will the breach have effects 
other than mere acquisition of information? Does the operation run the risk of diplomatic 
repercussions, and if so of what kind and severity? Who will decide whether to do it, who will 
actually do it, and what oversight if any might there be? 

A. Network Investigative Techniques: Introduction to NITs and the Fourth Amendment 
• Read this article from Kim Zetter at Wired for an overview of law enforcement hacking—that 
is, the use of what the FBI would coll o “Network Investigative Technique,” or “NIT.” 
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o What are the potential policy benetits ot allowing law entorcement to obtain evidence 
via hacking, and what ore the potential costs? 

o Does your assessment ot the policy pros and cons change it we assume tor the soke ot 
argument that the government has o search warrant (or, conversely, it we assume that it 
does not)? Context for those not already familiar wifh how search warranfs work: The 
Fourth Amendment to the Constitution of fhe Unifed States provides that an investigative 
measure that qualifies as a “search” musf be “reasonable,” and also fhaf no warranf 
can be issued by a judge unless the government shows that there is “probable cause” to 
believe that a crime has been committed and that the proposed investigation will yield 
evidence or fruits of fhaf crime. Generalizing a bif, fhe courfs have interpreted all this to 
mean that the government normally must have a warrant—and must stay within its terms 
when conducting the search—or else the fruits of fhe search will be suppressed (fhaf is, 
excluded from admission at trial). Of course, thaf pufs a lot of weighf on the question of 
whaf counts as a “search” triggering this requirement. Since 1967, the test has been 
whether the person has a “reasonable expectation of privacy” in fhe fhing or location 
being searched (with the reasonableness of fhaf expecfafion being bofh a subjecfive 
and an objecfive inquiry). 

o As a general proposifion, people have a reasonable expecfafion of privacy in fhe dafa 
fhey locally-sfore on fheir phones, pads, and lapfops. Buf fhen again, we increasingly 
don'f sfore dafa locally on fhe good ol' C: drive. Or af leasf we don'f exclusively sfore if 
fhere. More and more, we rely on cloud services fhaf cenfrally sfore dafa on fhe servers 
of fhe company in quesfion and fhen download files fo fhe local device as needed. This, 
if furns ouf, may have significanf consfifufional implicafions. The Supreme Court has long 
held that when you have sensitive information but it is in the hands of a fhird parfy—like, 
say, your bank's possession of records abouf your financial fransacfions—you have 
effectively waived your claim to have a reasonable expectation of privacy. Thaf rule— 
fhe so-called “Third Party Doctrine”—has been under pressure in recent years thanks to 
the evolution of communication and data storage technologies, and a few monfhs ago 
fhe Supreme Courf in a case called Carpenter held that the Third Party Doctrine should 
not apply to the specific sifuafion in which fhe governmenf soughf seven days' hisfory of 
fhe locafion dafa that a cell-phone service provider possessed about a customer's 
phone thanks to the fact that our phones are constantly connecting to the nearest 
tower. The Court explained that a combination of facfors—including fhe 
comprehensiveness, depfh, breadfh, and unavoidabilify of fhis parficular sort of dafa— 
made it different in kind from fhe analog-world scenarios fhaf gave birfh to the Third 
Party Doctrine originally. The Court was at pains to state that it was not overturning 
existing applications of fhe Third Parfy Docfrine, however. What does this have to do with 
Nils? 

o Another complication arises when data is stored outside the United States. The Fourth 
Amendment clearly protects the reasonable expectations of privacy of US persons and 
ofhers wifhin fhe Unifed Sfates, buf under currenf caselaw if does not protecf fhe privacy 
inferesfs of non-US persons oufside fhe Unifed Stafes. What does this have to do with 
Nils? 

o The firsf example of an FBI invesfigative fechnique menfioned in fhe article is “Carnivore.” 
That system was more in the nature of a wirefap, however, fhan a fechnical hack fo 
circumvenf informafion securify measures. Sfill, fhe Carnivore sfory is a useful sefup fo 



38 


explain the government's later interest in “keylogger” software. What is a “keylogger" 
and what technical problem did that approach solve? 
o The Scarfo investigation led to a complaint by o Justice Department official suggesting 
that FBI had “risked a classified technique on an unworth[y] target.” What harm could 
tollow trom using the keylogger at issue there? 
o What was ditterent about Magic Lantern os compared to the Scarto keylogger? 
o The next example in the article—CIPAV—concludes with the notion that Justice 
Department officials worried fhat excessive use of the NIT increased the “risk of 
suppression. " Does that mean something improper was going on? What could CIPAV do 
and when is that desirable? 

o The Wafering Flole Strategy: What is a “watering hole” in this context, and why might this 
approach be usetui tor NIT delivery? 

o The article concludes with a section subtitled “Big Questions Remain.” Read coretully, 
and decide which ot these questions seem most signiticant to you. 

B. NITs, International Relations, and International Law 

• Sometimes NITs target systems that are located overseas and thus give rise to serious 
international relations and legal complications. Read this short paper trom Orin Kerr and 
Sean Murphy (responding to concerns trom Ahmed Ghappour) exploring some of the 
resulting issues. 

o What hod Protessor Ghappour argued regarding the implications ot international NITs tor 
international relations? 

o How did Protessors Kerr and Murphy respond? 

o Why might one think that on international NIT violates international law? 
o Why did Kerr and Murphy reject that view? 

o What it anything do we learn here regarding the internal system ot management and 
oversight regarding the use ot international NITs? 

C. The Disclose-or-Dismiss Dilemma 

• As we saw above, the Justice Department and FBI worry about maintaining the secrecy of 
how some such tools work. Read this Lawtare piece by Susan Hennessey and Nicholas 
Weaver in order to better understand how NITs function and why prosecutions can result in 
dilemmas pitting the interests of preserving secrecy against those of securing convictions. 

o Con you explain this dilemma? 

D. The Going Dark Debate: What Figs This Got to Do With NITs? 

• That same Lawtare piece notes the connection between the idea of law enforcement 
hacking and the government's oft-stated fear that the diffusion of strong encryption can 
and will produced a “going dark” situation in which the government has o warrant (or other 
lawful authority) to access a system (a laptop, a phone, a message in transit) but neither it 
nor the company that made the system can decrypt the information therein. 

• To understand this issue better, read pages 1-15 (as numbered in the original text of the 
document, not just counting from the start of the pdf) of the “Don’t Panic” report issued by 
the Berkman Center at Flarvard. Then read this essay from Susan Hennessey for Brookings 
(titled “Lawful hacking and the cose for o strategic approach to 'Going Dark"’). 

o What are the policy concerns that motivate the FBI here? 










39 


o What are the ottsetting policy concerns? 

o What tactors might make the situation worse tor the FBI over time, and what tactors might 
make it better? 

o What role does the “lawtui hacking” idea ploy in addressing “going dark,” and is it 
necessarily cost-tree to encourage resort to that solution? 
o Are state/local law entorcement entities similarly-situated to the FBI with respect to these 
debates? 


22. November 28 Spy games: Hacking as Espionage & Covert Action 


A. What Do We Mean By “Intelligence Activities”? 

• In prior classes, we have repeatedly discussed two categories of government activity 
(espionage and covert action) that usually are conducted by intelligence agencies and 
thus usually fall under the general heading of “intelligence activities.” Now we are going to 
revisit those concepts in a more systematic and contextualized way, using that larger label— 

i.e., “intelligence activities”—to frame oursfudy. 

• Much like “active defense,” fhe phrase “intelligence activities” means different things to 
different people, and you need to be on guard against miscommunication as a result. That 
said: for our purposes, “intelligence activities” is an umbrella phrase meant to encompass no 
more and no less than the various categories of acfivify thaf an intelligence agency might 
engage in. The leading examples of fhose categories, as commonly understood in the U.S. 
context, include: 

1. Analysis - “Analysis” refers to the process in which experts apply their knowledge to 
information that has been gathered from various sources (open sources, human sources, 
signals infelligence, and so forth) in order to produce insights that then can inform the 
decisions and behaviors of a parficular agency's various “customers” (such as fhe 
President, military commanders, diplomats, trade negotiators, etc.). Put another way, 
analysis is a scholarly process that is much more than just the circulation of raw 
informafion. The goal is to use expertise to convert raw information into “intelligence 
products.” The President's Daily Brief (“PDB”) produced by fhe CIA is a parficularly- 
famous example. 

2. Collection - Where do analysfs gef fhe information that helps them produce products? 
That information has to be collected in the first instance. Some (but not all) collection 
takes the form of “espionage”—i.e., surrepfifious, unauthorized acquisition of informafion. 
Espionage might take the form of hacking, but older and still-relevant options include 
inducement of a human source (with the inducement typically involving one of more of: 
money, ideology, coercion, or ego), interception of radio or other electromagnetic 
spectrum signals, satellite or aerial imagery, physical break-ins, and so forth. Note, 
though, that there is plenty of important information out there in “open sources,” too 
(more so in recent years thanks first to the Internet and now especially to social media). 
Collection from such open sources is an increasingly-importanf fask for intelligence 
agencies. Note that it also has something of a levelling effect, as open-source collection 
for fhe most part is comparatively easy for non-sfate actors and less-resourced 
government agencies to perform. 

3. Covert Action - Covert action is an American term-of-art used for legal and policy 
purposes fo categorize an activity that the government intends to have an actual effect 
(as opposed to merely collecting information) and where the sponsoring role of the 
government in causing that effect is not meant to be apparent or acknowledged. In 
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short, covert action seeks to alter real-world circumstances in some fashion, without the 
government taking public responsibility for doing so. Crifically, fhis category might involve 
all sorts of different conduct, ranging from the innocuous to the dramatic. For example, a 
covert action program might involve a modest, brief attempt to influence foreign 
opinions on some minor point, but then again it also might involve a massive and 
sustained campaign of sophisficated efforts to drive foreign opinions on a crifical matter 
such as an election. Similarly, it might involve a modest effort to create physical problems 
in the development process for a foreign government's weapons program, or it might 
even entail the use of actual force—perhaps even lefhal force—towards that end. 
Obviously, covert action in general presents a variety of legal, policy, and moral issues, 
and those issues sometimes are heightened by the particular details of the covert action 
in question (such as election meddling or the use of lethal force). 

• Analysis plays an important role, obviously. But for purposes of Unif II—wifh our emphasis on 
situations in which we encourage unauthorized access to computer systems—it is espionage 
and covert action that concern us. 

B. Ambiguity about Categorization 

• Recall a critical point we have emphasized in prior classes: these categories are 
conceptually distinct in theory, yes, but the distinction is not always present or discernible in 
practice. First, it is possible for parficular scenarios fo incorporate elements of more fhan one 
category at the same time. Second, some operations entail the option of pivoting from one 
purpose (say collecfion) fo another (covert action), and thus proper categorization might be 
clear at one point but can then change. Third, and relatedly, it is possible that the right 
categorization just is not clear to an outsider with only limited factual understanding. 

• Consider this example: A CIA case officer cultivates a relationship with an Iranian scientist 
involved in Iran's nuclear program. The scientist is in a position both to share secrets and to 
cause practical problems for the nuclear program by interfering with equipment. 

o Should we categorize the recruitment as collection or covert action? 
o Assume that Iranian counterintelligence officials suspect something is afoot. Will they 
necessarily come to the same conclusion? 

o What it we are instead dealing with an intelligence activity in which a U.S. agency uses 
an exploit to gain access to a computer associated with Iran's nuclear enrichment 
program? 

C. Meet the U.S. Intelligence Community (“1C") and Some of Its Key Components 

• The phrase “Intelligence Community,” often abbreviated as “the IC” (pronounced eye-see), 
is used in the United States to refer to the collection of federal agencies fhat engage in 
intelligence activities. Flere's a thumbnail sketch of some of the key players for our purposes: 

• First, the big picture: the IC consists of seventeen different entities. Eight of fhem are part of 
the Defense Department (including, most notably for our purposes, the National Security 
Agency), and thus come within the budget, policy, and personnel domain of the Secretary 
of Defense. Seven others are part of fhe Departments of Jusfice, State, Treasury, and 
Flomeland Security. Only two stand independent: the CIA, and the Office of the Director of 
National Intelligence (ODNI). 

• ODNI was created in 2004 with the goal of providing IC-wide coordination and services, and 
thus the Director of Nafional Intelligence (“DNI”) to some extent function as the head of the 
IC. The DNI's control over other IC members is limited both formally and functionally, 
however. One might say that the DNI combines with the Director of fhe CIA and fhe 
Secretary of Defense (or, perhaps more accurately, the Undersecretary of Defense for 
Intelligence) to form a sort of informal triumvirate of senior-most intelligence officials in the 
U.S. government. 
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• In various ways, all seventeen components of the 1C are relevant in relation to cybersecurity, 
for mosf of them engage in analysis and analysis is an important port of the defensive mission 
we examined in Unif I. But os noted above, our concern in Unit II is with situations in which 
the United States government encourages unauthorized access, and so we will focus on 
collection and covert action here. 

o That said, it is worth pausing to introduce o relatively-new part of ODNI that plays an 
important role in analysis and interagency coordination from o defensive perspecfive. In 
February 2015, possibly in response to a White Flouse perception that the IC's members 
were not sufficiently coordinated in determining who carried out the attack on Sony that 
ultimately was attributed to North Korean, President Obama ordered the Office of the 
Director of National Intelligence to establish the Cyber Threat Intelligence Integration 
Center (“CTIIC”). CTIIC was directed to “provide integrated all-source analysis of 
intelligence related to foreign cyber fhreats or relafed to cyber incidents affecting U.S. 
national interests,” serving as a sort of interagency hub for sharing and analyzing such 
informafion. Can you articulate how this mission ditters trom that ot NCCIC, US-CERT, and 
FBI Cyber Division? 

• The Notionai Security Agency (“NSA”): NSA is part of the Department of Defense, and has o 
complex set of missions that include collection and analysis (but not covert action). Most 
obviously, it is the lead agency for collecting foreign intelligence through electronic means in 
order to suit the needs of national customers like the President. Less obviously, it also collects 
to address the needs of military customers, including collection in support of ongoing 
combat operations. Further, NSA has a parallel defensive mission (as we hove noted 
previously when discussing the protection of government networks). NSA also performs 
analysis of fhe informafion if collects. And, finally, NSA performs advanced research and 
development relating to various aspects of communications security (including, famously, 
cryptography). Note that the Director of the CIA also serves, simultaneously, as the 
commander of United States Cyber Command (“CYBERCOM), which we will study in our 
next session). This arrangement is called “the dual hat.” 

• The Central Intelligence Agency (“CIA”): CIA is an independent federal agency that 
performs all three intelligence activities described above. It is the premier agency for 
conducting collection through human sources, though its collection methods are not limited 
to that approach. CIA also is America's lead agency for conducfing covert action. 

• The Federal Bureau ot Investigation (“FBI”): The FBI is, first and foremost, a law enforcement 
agency, and we already have explored FBI's use of Network Investigative Techniques (NITs) 
in the law enforcement investigative setting. But FBI is not just a law enforcement agency. In 
contrast to the British model, for example, FBI has a dual role in which it also serves as lead 
agency for collecfing intelligence on foreign threats within the United States (that is, “foreign 
intelligence”). 

D. The Domestic Legal Framework for Collection and Covert Action 

• Over the past five decades, the United States has developed a complex legal framework 
relating to both collection and covert action activities. A full sfudy of that framework is 
beyond the scope of this course (my spring course on the Law of the Intelligence Community 
course covers it). There are some highlights that we should address, however. 

• Like most legal frameworks pertaining to government activity, the legal architecture for 
intelligence activities addresses three types of quesfion: Which agencies have affirmative 
authority to engage in certain kinds of activity? What process must be followed in order for 
on otherwise-aufhorized agency to use its authority? And what substantive limits does the 
law place on the resulting activity? 
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1. Authority - What is the affirmative legal authority for particular agencies to conduct 
particular intelligence activities (such os hacking to further a collection or covert action 
program) in the first place? 

a. Collection: There is no serious dispute about the affirmative authority of certain 
1C members to engage in collection. Take the CIA: Congress has expressly 
authorized it to “collect intelligence through human sources and by other 
appropriate means,” 50 USC 3036(d)(1), and has appropriated considerable sums 
for fhis purpose since the mid-20th century. Even if fhis were not the cose, the 
executive branch would assert inherent authority to engage in foreign 
intelligence collection under Article II of fhe Constitution, citing the president's 
duties in relation to both foreign affairs and notional defense. Note that this is 
quite different—and much less controversial—than asserting inherent authority 
also to override a statutory constraint. It is simply a claim that Congress's 
affirmative permission is not needed in order to engage in foreign intelligence 
collection (though Congress's money may well be needed!). As for NSA? The 
sifuation there is somewhat different, for there is no comparobly-clear statutory 
statement spelling out NSA's various missions. There is a comparable history of 
Congressional funding and oversight, however, not to mention a deep history (for 
NSA is the institutional successor to Army and Navy entities performing similar 
funcfions in the first half of the 20*'^ century) of presidents asserting authority to 
order the military to conduct this mission. The interesting questions about CIA and 
NSA collection, as we shall see, tend to concern not authorization as such, but 
rather the rules of process and substantive constraints spelled out below. 

b. Covert action: Covert action once was different. That is, there used to be a 
significant debate regarding whether the CIA in particular really had statutory 
authorization to engage in such activity. Defenders of CIA's covert action role in 
the past would point either to the president's inherent Article II authorities or else 
the euphemistic language in the National Security Act of 1947 which referred to 
CIA conducting “such other functions and duties relating to intelligence” as 
might be directed. That debate is no longer live, however. Beginning in the early 
1970s, Congress began imposing process and substantive rules relating to covert 
action, and in doing so removed any doubt that such activity was in fact 
authorized by Congress (so long as it complied with the new rules, which we will 
explore below). 

2. Process - Congress has passed a number of statutes regulating the process of 
engaging in both collection and covert action. Some of these rules control the ex ante 
process of deciding to engage in some particular activity (for example, must the 
executive branch obtain approval from a judge, or musf some particular executive 
branch official approve?), while others involve ex post oversight (in the form of reporting 
to Congress). 

a. Collection; With respect to collection, the interesting issue is whether and when 
the government must obtain judicial approval for something it seeks to do. This is 
an immensely complex topic in general, and it is hard to talk about its application 
to hacking without going too far down a rabbifhole. For our purposes, though, 
the following sketch will suffice. Firsf, bear in mind that the scenario we have in 
mind is one in which a U.S. intelligence agency might seek to gain unauthorized 
access to a computer in order to engage in collection. If this scenario comes up 
outside the United States, with non-U.S. persons as the target of the collection. 
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then under current law there is no obligation (under either the Fourth Amendment 
or a statute) to obtain judicial permission. If, on the other hand, the target is a U.S. 
person or the collection activity will take place within the United States, it 
becomes much more complicated. If the aim is to engage in electronic 
surveillance of the target's communications, a court order almost certainly is 
required under the 1978 Foreign Intelligence Surveillance Act. In practical terms, 
that means asking the Justice Department's National Security Division to go to the 
Foreign Intelligence Surveillance Court (consisting of regular federal judges 
holding an addifional appointment for this purpose) to authorize the surveillance 
based on a showing that there is probable cause to believe the target is a 
foreign power or agent of a foreign power. 

o What are the pros and cons ot judicial involvement in that situation? 
o What are the pros and cons ot not having judicial involvement with 
overseas collection on toreign targets? 

Note that, regardless of whether court involvement is required ex ante, a 
separate statute (two of them, actually) requires the 1C to keep the Flouse and 
Senate Intelligence Committees “fully and currently informed” of intelligence 
activities. See 50 USC 3091,3092. 

b. Covert action: There is a simpler framework fhat governs the decision to 
engage in covert action, and it does not concern courts. Instead, it is a matter of 
requiring porficulor executive branch officials to sign-off on covert action 
proposals. Title 50 of the US Code requires that any activity counting as a covert 
action must be approved by the President in writing. We coll that the 
requirement of a presidential “finding.” This has been the rule since the early 
1970s. Prior to that time, there were no statutes attempting to regulate the covert 
action decision-making process, and presidents were under no obligation to 
commit in writing to the approval of covert action programs. 

o What benefits flow from this, and what costs? Think about it from the point 
of view of the president. If you hod to sign such o finding, would you insist 
on certain internal procedures before you had to make that decision? 

As with collection, there also is a requirement that the executive branch share 
findings with the Flouse and Senate Intelligence Committees (though with covert 
action, that sharing can be limited to certain leadership figures). 

o Does the obligation to “report” the finding to the intelligence committees 
accentuate the pros and cons you identified above, or reveal any new 
ones? 

Critically, Congress for better or worse has elected to add several statutory 
exemptions to the definition of covert action, removing the obligation to comply 
with the presidential finding requirement and the notification to the intelligence 
committees in certain situations notwithstanding that these situations involve an 
intent to influence events overseas without the U.S. government's role being 
apparent or acknowledged. Most significantly, it has stated that the covert 
action statutory process rules do not apply if the activity count as o 
“traditional...military activity” (often referred to as “TMA”). An operation that 
qualifies as TMA therefore is not a “Title 50 covert action” after all, but instead a 
“Title 10 activity” (Title 10 being a part of the U.S. Code that addresses only the 
Defense Department). Alas, there is a long history of confusion surrounding the 
definition of TMA (and, hence, a long hisfory of confusion about the line between 
Title 10 and Title 50 operations), and as of a few months ago some new legislation 
speaking to this question in specific relation to hacking. 
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o Simplifying things a bit, the long-standing debate involves at least two 
camps. One takes a literal approach. On that view, an operation can 
count as TMA (and thus escape the covert action rules) only where it not 
only is to be performed by the military but also is of a kind (or at least quite 
analogous to a kind) traditionally performed by the military, 
o The other camp focuses (more accurately, in my view) on the detailed 
legislative history of the TMA statutory exemption. That history describes a 
broader exemption that eschews historical comparisons and instead 
simply asks (1) whether the operation in question is to be commanded 
and conducted by military personnel, and (2) whether it relates either to 
an ongoing armed conflict or to a circumstance for which operational 
military planning has taken place (which is a very wide set of 
circumstances). 

o Can you see (and explain) why this difference of legal interpretation might 
matter for on otherwise-covert cyber operation? 

o That debate continues unaltered in relation to most situations involving 
military activity that smacks of covert action, but recently Congress 
intervened on this subject specifically in order to reduce uncertainty 
about when a military-conducted cyber operation can qualify for the 
TMA exception. We w/7/ explore that plot twist In detail In our next 
assignment which focuses on the role of US Cyber Command. 

3. Substantive legal limits: In addition to allocating affirmative authority to perform 
certain actions and to requiring certain decisionmaking and reporting procedures. 
Congress also can regulate intelligence activities by placing certain actions off limits. 

That is. Congress could specify certain things that NSA, CIA, and other intelligence 
agencies simply may not do when collecting or engaging in covert action. For example, 
it could ban certain more extreme forms of covert action, such as the use of lethal force. 
Or it could produce a targeted ban on actions in certain places or for certain purposes. 
And so forth. So, what has Congress actually done? 

a. Collection - Whereas Congress has passed many rules relating to the 
decisionmaking and reporting processes for collection (though only where there 

is a U.S. person target or collection occurs within the United States), it has said little 
about substantive limitations on collection. The one clear counterexample is 
found in FISA, which specifies that a FISA judge may not conclude that a U.S. 
person is an agent of a foreign power (and thus a proper surveillance target) 
based “solely” on First Amendment-protected activities. 50 USC 1805(a)2)(A). 

b. Covert action - There are a few substantive rules set forth in 50 U.S.C. 3093. First, 
section 3093(f) provides that covert action cannot be used with intent “to 
influence United States political processes, public opinion, policies, or media.” 

o Consider the following hypothetical situation: A president wants CIA 
to conduct a covert action that would include efforts to hack the 
personal email and social media accounts of various prominent 
foreign officials, then use the information obtained to plant stories in 
that country's media in hopes of impacting an upcoming election. 
Would this be barred by section 3093(f)? 

Another part of Section 3093—3093(a)(5)—states that the president's finding 
authorizing a covert action “may not authorize any action that would violate the 
Constitution or any statute of the United States.” 
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o Refer back to the hypothetical situation in the previous question. 

Would section 3093(a)(5) prohibit that activity? 

o The proposed activity certainly would violate the criminal lows of the 
foreign state in question. Does 3093(a)(5) therefore bar the activity? 
What other considerations might come into play, besides legality as 
such? 

o Assume for the soke of argument that the proposed covert action 
would violate on international treaty or customary international low. 

Does 3093(a)(5) thus prohibit it? What other considerations might 
come into play, besides legality as such? Note: we will explore 
international low os it relates to nation-state hacking in the closs-ofter- 
next. 

o Change the hypothetical such that o US agency will hock into foreign 
systems to acquire information, but nothing else will occur except the 
use of this information for analysis purposes. Does this change your 
analysis to the questions above? 

o Change the hypothetical again, such that o US agency will hock into 
o foreign system for purposes to be determined later os circumstances 
dictate. What complication does this introduce, and does it alter any 
ot your answers? 


23. November 29 - Cyber War? Introduction to Cybercom 


In this class and the next, our focus switches to the U.S. military. 

A. Categories ot Military Activity in the Cyber Domain 

At the risk of oversimplifying things, we might soy that the military engages in three categories of 
activity in the cyber domain: 

1. ISR - Not surprisingly, the U.S. military engages in information collection and analysis on 
matters relevant to its missions and operations. Rather than calling that “collection” or 
“espionage,” however, the military traditionally colls this function “ISR” (on acronym that 
stands for “Intelligence, Surveillance, and Reconnaissance”). ISR always has been an 
important military function both in war and in peace, taking various forms ranging from 
cavalry scouts and foot patrols to aerial photography and radio intercepts. The cyber 
domain, from this perspective, is merely a (relatively) new environment in which ISR might 
occur. 

2. Network detense - The military of course defends its own communication networks. 
Those networks ore known, collectively, as the Department of Defense Information 
Network, or “DODIN” t one commentator memorably described DODIN os “really not o 
single network, but o quosi-feudol patchwork of often incompatible local networks);] It's 
the Holy Roman Empire of cyberspace”). Note, though, that the military does not 
normally hove the role of defending other networks, such os those of the civilian ports of 
government or of the private sector. 

3. Operations to cause effects - The military also may conduct cyber operations to cause 
effects (which might include disruption or alteration of communications, alteration of 





46 


data, or perhaps even damage to physical systems controlled by software). The most 
obvious setting in which this might occur would be armed conflict. But the military is 
capable, in theory, of engaging in such octivify in circumsfonces that do not rise to the 
level of armed conflicf. Should it do so? As we will read in just a moment. Congress 
thinks the answer is yes and recently passed legislation to encourage such operations in 
certain settings. For now, the important thing is to appreciate that the miiitary’s roie in 
conducting cyber operations tor ettect is not necessariiy iimited to circumstances ot 
armed contiict. 

Of fhese fhree categories of cyber acfivity, bofh ISR and operations to cause effect are likely to 
involve unauthorized access to someone else's network or device. 

B, A Caution About Terminoiogy 

Before we move on, o word of caution is in order. You no doubt appreciate that there con be a 
significant difference between the common usage of a term and the way that the same term 
might hove a specific, fechnical meaning for specialized audiences like lawyers. This con 
produce mutual misunderstanding, and you should be particularly alert for this problem when 
someone is describing cyber activities. 

The words “war” and “warfare” are good examples. Those words hove much less legal 
significance today than they used to (today the critical international law concept is “armed 
conflict” rather than “war”). Still, they remain words with significant resonance, and people— 
including influencers like journalists and politicians—employ them routinely. This is unproblematic 
when the words are used in relation to the paradigm case of warfare, in which milifaries use 
lethal force ogoinsf one another. But beyond that paradigm scenario, disagreement begins to 
emerge regarding which other situations also warrant those same labels. The words prove to be 
both vogue and ambiguous, especially when someone uses them in connection with cyber 
activities that are not simply port of o larger, conventional armed conflict. And yet the words 
often are used in precisely that setting. The word “attack” is much the some. It too is both 
vague and ambiguous, and it too is used promiscuously in describing cyber activities. 

o Do o search to find recent news articles that use the words “cyberwar” or “cyber 
attack.” Do any of the examples seem misplaced? 

o Is there any real harm from using the language of war and attack in expansive ways 
when describing cyber activities? 

o If you think there is overuse and that the overuse is harmful, can you think of plausible 
alternative language? 


C. An Introduction to CYBERCOM 


Our next task is to become acquainted with the institutional structures the U.S. military has 
adopted in order to facilitate its activities in cyberspace. As you might expect, there has been o 
great deal of organizational change in recent years, and more is likely to come in the near 
future. We will not attempt anything close to o comprehensive overview, but we will at least 
identify some of the most important current institutions and some of the bigger issues that they 
face. 
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As an initial matter, let's recall that the NSA itself is part of the Defense Department, and that 
one of its core missions has long been collection of signals intelligence (a form of ISR) for 
combat-support purposes. The Defense Department also has long hod o centralized 
organization (known since the early 1990s os the Defense Information Systems Agency (“DISA”)) 
to build, maintain, and (to some extent) defend military communication systems. The gradual 
emergence of cyberspace greatly complicated the organizational picture, however, especially 
os it began to become clear that cyberspace was not just o medium for communication but 
also an operational domain analogous to land, air, water, and space in that one can conduct 
operations for effect there. 

As Fred Kaplan explains in his book Dark Territory: The Secret History of Cyber War (available here 
if you are interested in going deeper), the military's effort to reorganize for cyber operations 
traces back to the late 1990s. As the Department began to appreciate how vulnerable its own 
networks were, it established a new office (the “Joint Task Force—Computer Network Defense,” 
or just “JTF-CND”) to coordinate defensive efforts. Kaplan writes that the 

“initial plan was to give [JTF-CND] on offensive role os well, o mandate to develop 
options for attacking an adversary's network.... [But the organizer] knew that the services 
wouldn't grant such powers to a small bureau with no command authority. ... 
[Eventually, in] 2000, JTF-CND became JTF-CNO, the O standing for “Operations,” and 
those operations included not just Computer Network Defense but also, explicitly. 
Computer Network Attack.... [JTF-CNO] was placed under the purview of U.S. Space 
Command...it was on odd place to be, but SpoceCom was the only unit that wanted 
the mission... [and] in any case, it was a command, invested with war-planning and war¬ 
fighting powers. [But key leaders] felt that the cyber missions—especially those dealing 
with cyber offense—should ultimately be brought to the Fort Meade headquarters of the 
NSA.” (pp. 121-22) 

It took many years, but that is what happened in the end. In the summer of 2009, Secretary of 
Defense Gates directed the creation of o new command—United States Cyber Command 
(CYBERCOM)—focused on both defensive and offensive functions. In order to ensure its rapid 
maturation, moreover, the new command would be collocated with NSA at Ft. Meade, and 
NSA's Director would be “dual-hatted” as the CYBERCOM commander as well. This would 
enable NSA to incubate CYBERCOM in terms of personnel, knowledge, technical capabilities, 
and so forth. Less obviously, it also would ensure a process for deconfliction of priorities should 
the interests of CYBERCOM in causing an operational effect in cyberspace come into conflict 
with the interests of NSA in collecting intelligence. 

o Can you hypothesize o situation in which NSA coiiection equities and CYBERCOM 
operotionoi interests might contiict? 

So, what exactly is CYBERCOM's role? The Defense Department's 2015 Cyber Strategy 
document provides a handy explanation: 

"In 2012, DoD began to buiid a [Cyber Mission Force ("CMF")] to carry out DoD’s cyber 
missions. Once fuiiy operotionoi, the CMF wiii inciude neoriy 6,200 miiitary, civiiion, and 
contractor support personnei from across the miiitary deportments and defense 
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components.... The Cyber Mission Force will be comprised of cyber operators organized into 
133 teams, primarily aligned as follows: 

Cyber Protection Forces will augment traditional defensive measures and defend priority 
DoD networks and systems against priority threats; 

National Mission Forces and their associated support teams will defend the United States 
and its interests against cyberattacks of significant consequence; and 

Combat Mission Forces and their associated support teams will support combatant 
commands by generating integrated cyberspace effects in support of operational plans 
and contingency operations. 

Combatant commands integrate Combat Mission Forces and Cyber Protection Teams into 
plans and operations and employ them in cyberspace, while the National Mission Force 
operates under the Commander of USCYBERCOM. Outside of this construct, teams can also 
be used to support other missions as required by the Department.” 

Put simply, CYBERCOM has three core missions: defend DODIN (that's the job of fhe Cyber 
Protecfion Forces); provide combat support (that's the job of the Combat Mission Forces); and in 
special circumstances defend the nation more generally (that's the job of the National Mission 
Forces). 

Note the reference above to “combatant commands,” which will employ the Combat Mission 
Forces and to some extent the Cyber Protection Forces as well. This calls for a quick primer on 
what a “combatant command” is and how CYBERCOM fits into that picture. 

The traditional organizational structure of the Armed Forces of the United States involved a sharp 
division into a series of separate “service branches”: the Army, Navy, Air Force, and Marines (and 
the Coast Guard as well, though its precise status is complicated). The several branches not 
only recruited, trained, and equipped their own forces, but in the past they also planned and 
commanded their own operations (often, though not always, in coordination with one another). 
Today, they continue to recruit, train, and equip separately, but they no longer plan and 
command operations independently. We now have a “joint forces” model for purposes of 
actual operations. Under this model, assets generated by each branch come under the 
operational control of a single, unified command structure. More specifically, we now hove a 
globe-spanning series of geographically-defined “combatant commands,” such as Central 
Command (CENTCOM, which encompasses the Middle East through to Afghanistan) and Indo- 
Pocific Command (INDOPACOM). 

So far so good, but it gets more complicated. In addition to these geographically-defined 
commands, we also have several additional commands that have no geographic boundaries 
but instead are defined by the particular functions they perform or support. CYBERCOM is such 
a command. Special Operations Command (SOCOM) is another. These functional commands 
are like the geographic ones in that their subordinate units and personnel are mostly generated 
by the various service branches, but then brought together under a “joint” command structure 
for operational purposes. In CYBERCOM's case, that means that Army, Navy, Air Force, and 
Marine units and personnel make up the various Cyber Mission Forces. 
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Against that backdrop, it is easier to understand the description of CYBERCOM's various missions. 
First, CYBERCOM is charged with ensuring that the geographic combatant commands like 
GENICOM are supported with both Combat Mission Forces and Cyber Protection Teams. 
Second, more generally, CYBERCOM oversees the defense of DODIN. Third, and most 
intriguingly, CYBERCOM has its own, direct operational responsibility in those limited 
circumstances in which it is ordered to defend the nation against significant cyber activities (this 
is the role of the National Mission Forces). 

Notice how that lost role might dovetail with the issue we raised at the outset of this reading, 
regarding the role of the military in conducting cyber operations for effect outside the context of 
armed conflict. We'll talk more about that below. But first, consider this question: 

o You likely hove heard that President Trump has called for the creation of Space Force os 
a new service branch in the U.S. military. Should we instead (or in addition) create Cyber 
Force, such that the task ot recruiting, training, and equipping cyber mission teams taiis 
to an independent branch rather than Army, Navy, Air Force, and Marines? 

D. Unieashing CYBERCOM tor Combat-Reiated Operations? 

As CYBERCOM has matured, questions have arisen about whether it should move more 
aggressively to cause operational effects. For example, such questions hove arisen in relation to 
combat operations. The following text is excerpted from o post I wrote for Lawfare in 2017 , 
detailing problems that emerged when the Defense Department wanted CYBERCOM to 
conduct certain operations in relation to the armed conflict with the Islamic State: 

1. July 2016 - Reports of DOD frustration over paee of anti-ISIS eyber operations 

In July 2016, the Washington Post (Ellen Nakashima & Missy Ryan) reported on CYBERCOM’s 
efforts to disrupt the Islamic State’s online activities (internal communications, external 
propaganda, financing, etc.), emphasizing the view of DOD leadership that CYBERCOM was 
underperforming: 

An unprecedented Pentagon cyber-offensive against the Islamic State has gotten off to a 
slow start, officials said, frustrating Pentagon leaders and threatening to undermine 
efforts to counter the militant group’s sophisticated use of technology for recruiting, 
operations and propaganda .... 

But defense officials said the command is still working to put the right staff in place and 
has not yet developed a full suite of malware and other tools tailored to attack an 
adversary dramatically different from the nation-states Cybercom was created to 
fight. ... 

Although officials declined to detail current operations, they said that cyberattacks 
occurring under the new taskforce might, for instance, disrupt a payment system, 
identify a communications platform used by Islamic State members and knock it out, or 
bring down Dabiq, the Islamic State’s online magazine. ... 

The report is an excellent snapshot of several distinct challenges the military use of computer 
network operations can pose. 

One such challenge is operational capacity. The story suggests that CYBERCOM simply did 
not have the right personnel and the right exploits on hand for this particular mission, at least at 
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the start. That’s a problem that can be fixed, and the report details the steps DOD began taking in 
2016 to do just that. 

Another challenge is the need to have an effective process for deconfliction between 
intelligenee-eolleetion and operational-effeet equities. As the article summarized the 
issue: 


Whenever the military undertakes a cyber-operation to disrupt a network, the 
intelligence community may risk losing an opportunity to monitor communications on 
that network. So military cybersecurity officials have worked to better coordinate their 
target selection and operations with intelligence officials. 

This is not a novel tension, in the abstract. For as long as there has been signals intelligence, 
there have been tensions of this kind. When one side has access to the other’s communications, 
there will always be tension between the temptation to exploit that access for operational effect 
(with the opportunity cost of risking loss of that access going forward as the enemy realizes it has 
been monitored) and the temptation to instead exploit it for indirect intelligence advantage (with 
the opportunity cost of forgoing direct operational advantage in at least some cases). World War 
II provides famous examples. And so one might fairly ask: is there anything really different 
about computer network operations, warranting special attention to the topic in this setting? 

Perhaps. In this domain there is much more overlap between the means of collection and the 
means of carrying out a disruptive operations. Indeed, those means often will be the exact same: a 
particular exploit providing access to an enemy device, network, etc. It seems to me that this 
ensures that the tension between collection and operational equities will arise with greater 
frequency, and less room for workarounds, than in more familiar settings. 

Having mentioned both the operational capacity concern and the competing-equities concern, 
now is a good time to emphasize the significance of the status-quo for NSA and CYBERCOM: the 
dual-hatted commander. Whereas more familiar, traditional scenarios involving tension between 
collection and operational equities usually involve distinct underlying institutions and 
commanders, the status quo with respect to computer network operations has always (well, the 
past seven years) involved the dual-hatting of NSA’s director and CYBERCOM’s commander. 

This model in theory ensures that neither institution has a home-field advantage, and maximizes 
the chance that the key decisionmaker (yes, there can be important decisions both below and 
above the dual-hat, but the dual-hat is obviously in the key position) fully buys into and fully 
grasps the importance of each institution’s mission. 

Of course, it is possible that the dual-hat might tilt one direction to an unfair or undesirable 
degree. And it is possible that some might perceive such a tilt even when there isn’t one. As 2016 
wore on, questions of this kind began to appear in public, and by September the media was 
reporting that DNI Clapper and SecDef Carter both were in favor of splitting up the dual-hat. It 
was not the first time this topic had come up, to be sure; President Obama had considered 
ordering a split in 2013 (during the aftermath of the Snowden controversy), but had not taken 
that step at least in part out of concern about CYBERCOM’s independent operational 
capacity. Now the idea appeared to have momentum. 

A report from Ellen Nakashima in the Washington Post that same month suggested that this 
momentum was in part a product of CYBERCOM’s operational maturation, but also in significant 
part driven by the perception that Admiral Rogers, the current dual-hat, favored collection 
equities to an undue extent: 

“Whether or not it’s true, the perception with Secretary Carter and [top aides] has 
become that the intelligence agency has been winning out at the expense of [cyber] war 
efforts,”said one senior military official.... 


51 


(See also this report by the New York Times, stating that frustration along these same lines 
contributed to the effort to get President Obama to remove Admiral Rogers in late 2016.) 

The Washington Post report also highlighted concerns that splitting NSA and CYBERCOM at the 
leadership level might actually weaken rather than empower CYBERCOM, as NSA inevitably 
would become free to withhold from CYBERCOM at least some exploits or other forms of access 
so that sources would not be lost: 

“Cyber Command’s mission, their primary focus, is to degrade or destroy,” the former 
official said. “NSA’s is exploit [to gather intelligence] only. So without having one person 
as the leader for both, the bureaucratic walls will go up and you’ll find NSA not 
cooperating with Cyber Command to give them the information they’ll need to be 
successful. ” 

2. December 2016 - Congress puts on the brakes 

Against this backdrop. Congress intervened in late 2016 to slow down the Obama administration’s 
move to split the dual-hat. Section 1642 of the NDAA EY’17, enacted in late December, provides 
that NSA and CYBERCOM must continue to share a dual-hatted director/commander unless and 
until the Secretary of Defense and the Chairman of the Joint Chiefs of Staff jointly certify to 
certain Congressional committees (SASC & HASC; SSCI & HPSCI; and the Appropriations 
Committees) that separation will not pose “unacceptable” risks to CYBERCOM’s effectiveness, 
and that the following six conditions are met: 

(i) Robust operational infrastructure has been deployed that is sufficient to meet the 
unique cyber mission needs of the United States Cyber Command and the National 
Security Agency, respectively. 

(ii) Robust command and control siistems and processes have been 

established f or planning, deeonflieting, and executing militarii egber 
operations . 

(Hi) The tools and weapons used in cyber operations are sufficient for achieving 
required effects. 

(iv) Capabilities have been established to enable intelligence collection and operational 
preparation of the environment for cyber operations. 

(v) Capabilities have been established to train cyber operations personnel, test cyber 
capabilities, and rehearse cyber missions. 

(vi) The cyber mission force has achieved full operational capabilitii . 

Section 1642(b)(2)(C) (emphasis added). President Obama’s signing statement criticized 
Congress for imposing this requirement, but did not include a claim that it was 
unconstitutional. It remains the law at this time. 

3. Early 2017 - Complications in the War Against the Islamic State 

While lawmakers and policymakers wrestled with the pros and cons of splitting NSA and 
CYBERCOM, computer network operations against the Islamic State continued to accelerate. 

Along the way, however, new problems emerged. 
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As Ellen Nakashima of the Washington Post reported in May 2017, CYBERCOM by late 2016 had 
encountered a new set of challenges in its enhanced effort to shut down ISIS sites and 
platforms: third-country effects. 

“A secret global operation by the Pentagon late last year to sabotage the Islamic State’s 
online videos and propaganda sparked fierce debate inside the government over 
whether it was necessary to notify countries that are home to computer hosting services 
used by the extremist group, including U.S. allies in Europe.... Cyber com developed the 
campaign under pressure from then-Defense Secretary Ashton B. Carter, who wanted 
the command to raise its game against the Islamic State. But when the CIA, State 
Department and FBI got wind of the plan to conduct operations inside the borders of 
other countries without telling them, officials at the agencies immediately became 
concerned that the campaign could undermine cooperation with those countries on law 
enforcement, intelligence and counterterrorism. The issue took the Obama National 
Security Council weeks to address...” 

This article highlights a third significant challenge associated with computer network 
operations: attacking the enemy’s online presence often requires, or at least risks, some degree of 
impact on servers located in other countries. Third-country impact involves both legal and policy 
challenges, and as the quote above illustrates it also brings into play otherwise-unrelated equities 
of other agencies. Thus, the competing-equities tension is not just a clash between collection and 
operational equities, but in some cases many others as well. The dual-hat command structure is 
primarily an answer only to the former, not the latter. 

Meanwhile, a sobering reality about the utility of cyberattacks on Islamic State communications 
began to become clear: the effects often did not last. This was the thrust of an important piece by 
David Sanger and Eric Schmitt in the New York Times in June 2017: 

[SJince they began training their arsenal of cyberweapons on ...internet use by the 
Islamic State, the results have been a consistent disappointment, American officials say. 
... [It] has become clear that recruitment efforts and communications hubs reappear 
almost as quickly as they are torn down.... “In general, there was some sense of 
disappointment in the overall ability for cyberoperations to land a major blow against 
ISIS," or the Islamic State, said Joshua Geltzer, who was the senior director for 
counterterrorism at the National Security Council until March. "This is just much 
harder in practice than people think..." 

This suggested that the military equities that some felt had been undervalued by Admiral Rogers 
in the past were less weighty than proponents had assumed. Nonetheless, momentum towards 
separation—and concern that the dual-hat unduly favors collection equities—continues. 

In mid-July, reports emerged that the Pentagon had submitted to the Trump administration a 
plan for effectuating the split, with some of the accompanying commentary continuing to advance 
the argument that NSA holds CYBERCOM back to an improper extent: 

The goal, [unnamed U.S. officials] said, is to give U.S. Cyber Command more autonomy, freeing it 
from any constraints that stem from working alongside the NSA, which is responsible for 
monitoring and collecting telephone, internet and other intelligence data from around the world 
— a responsibility that can sometimes clash with military operations against enemy forces. 

This account raises a number of questions for you to consider: 

o Can you list the variables that may have constrained CYBERCOM in conducting 
operations tor ettect against the Islamic State? 
o What ore the pros and cons ot ending the dual-hot arrangement? 
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o Military operations that produce damage in the physical world often are followed by 
enemy efforts to repair that damage and restore functionality. Is there reason to think 
such remediation ettorts are, on the whole, easier in cyberspace? 

The account above refers to interagency battles over potential CYBERCOM operations, with 
CIA, State, and Justice objecting at certain points. This might cause you to wonder: What put 
those organizations in a position even to know about those plans, let alone to object effectively 
at the White House level? The answer has to do with on Obama administration policy directive 
that reportedly required interagency vetting of this sort for military cyber operations expected to 
have effects outside of areas of active hostilities. Notably, Trump administration officials have 
announced that this requirement has been revoked (in the form National Security Presidential 
Memorandum 13, the precise details of which ore not yet public). 

o What are the pros and cons ot removing the interagency vetting requirement? 

E. Unleashing CYBERCOM tor Operations Below the Threshold ot Armed Contlict? 

Questions also hove arisen about the authority of CYBERCOM (and especially the National 
Mission Forces, os noted above) to engage in operations to defend the nation against 
significant cyber activities outside the context of armed conflict. For example, con and should 
the Notional Mission Forces be used to conduct operations outside of DODIN—and perhaps 
even outside the United States—in response to efforts by foreign governments or other entities to 
use cyber means to interfere with U.S. elections? 

Congress thinks the answer should be yes, and took steps in the most-recent Notional Defense 
Authorization Act to prune away certain potential obstacles to an active CYBERCOM role. In 
particular, it sought to moke clear both that (1) CYBERCOM has affirmative authority to engage 
in such activity in certain contexts and (2) CYBERCOM actions under that authority must be 
categorized as “TMA” rather than “covert action.” Let's have o look at the new statutory 
language on these points, and then answer some questions 

First, Section 1642 of the NDAA Fiscal Year' 19 provides in relevant port that: 

(a) AUTHORITY TO DISRUPT, DEFEAT, AND DETER CYBER ATTACKS.— 

(1) IN GENERAL. —In the event that the National Command Authority determines that the 
Russian Federation, People's Republic of Chino, Democratic People's Republic of Korea, 
or Islamic Republic of Iron is conducting on active, systematic, and ongoing campaign 
of attacks against the Government or people of the United States in cyberspace, 
including attempting to influence American elections and democratic political 
processes, the Notional Command Authority may authorize the Secretary of Defense, 
acting through the Commander of the United States Cyber Command, to take 
appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter 
such attacks under the authority and policy of the Secretary of Defense to conduct 
cyber operations and information operations as traditional military activities. 

Consider these questions about that provision: 
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o What conditions must be met in order tor this grant ot authority to come into pioy? 

o Does anything go once the authority comes into pioy? 

o Con you reiote this authority to the decision by the Trump administration to revoke 
interagency vetting ot miiitory cyber operations expected to hove ettects outside ot 
combat zones? 

Second, Section 1632 of the NDAA provides that “clandestine military activity or operation in 
cyberspace shall be considered a traditional military activity,” full stop. 

o What is the procticoi ettect ot compeiiing the conciusion that “ciondestine” miiitory 
activity in cyberspace counts os TMA? Go back and review the discussion of TMA and 
covert action in the prior reading if needed. 

Note, though, that other statutory provisions require DOD to report to Congress (specifically, the 
Senate and House Armed Services Committees) on certain cyber activities. For example, 10 USC 
130j is a 2017 law that requires the Secretary of Defense to issue a written notice to the House 
and Senate Armed Services Committees within 48 hours for “sensitive military cyber operations,” 
defined to encompass any military cyber operation intended to have an effect overseas in a 
location that is not itself a combat zone.” 

o Why be concerned to ensure oversight in that scenario? 
o Why exciude situations in which the ettect is expected in a combat zone? 

Separately, 10 USC 484 requires the Secretary of Defense to provide quarterly briefings to the 
Armed Services Committees on “offensive and significant defensive military operations in 
cyberspace” without reference to where those operations were intended to have an effect. 

o Can you explain how the Section 484 reporting requirement ditters trom Section 130j? 

F. Detending Forward? 

An unclassified summary of the 2018 Defense Department Cyber Strategy made waves recently, 
thanks to this passage: 

“We will conduct cyberspace operations to collect intelligence and prepare military 
cyber capabilities to be used in the event of crisis or conflict. We will defend forward to 
disrupt or halt malicious cyber activity at its source, including activity that falls below the 
level of armed conflict." 

o Can you relate the idea ot “detending torward” to any ot the authorities described 
above? 

o Notice the separate reference to “prepare military cyber capabilities to be used in the 
event of crisis or conflict”. Can you relate this to our prior discussions ot “preparation ot 
the battletield” and “hold at risk”? 


24, December 5 Cyber War? International Law Concerns 
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Over the past two classes, we examined situations in which both intelligence agencies and the 
U.S. military might engage in unauthorized access of foreign networks and systems. We've 
looked at many provisions of U.S. low under that heading, but hove not yet looked at what 
international low might hove to soy about it. In this final substantive session, we will focus 
exclusively on that question. 

A. International Law: A Brief Backgrounder 

Some of you will be familiar already with the nature of international low, but for the benefit of 
the rest I will provide o brief overview here. 

First, please note that when we speak of “international low” we ore not talking about the low of 
any one particular foreign country. The low of Russia is simply “foreign low” from o U.S. 
perspective, just as America's low is merely foreign low from a Russian perspective. International 
low, in contrast, by definition exists on the international plane. 

The traditional understanding is that international low con come into being in two ways. First, 
sovereigns can form agreements—treaties—pursuant to which they voluntarily embrace certain 
obligations or constraints. This has the advantage of relative clarity, but note that it binds only 
the parties to the treaty. Second, international law also con come into existence via “custom” 
(i.e., “customary international low”), so long os two conditions ore met: there must be o 
common, settled usage or practice undertaken or complied with by states, and they must do 
this out of o sense of legal obligation (and, yes, that is more than o bit circular in its logic). 
Customary international low thus is less determinate than o treaty, to put it mildly, but on the 
other hand it is thought to be binding (at least on the international plane) on oil states 
(excepting those that persistently and expressly object to an emerging customary rule). 

As you might expect, some ore relatively strict while others ore relatively flexible in making o 
judgment about whether o rule of customary international low has come into being. Relotedly, 
some ore more willing than others to give evidentiary weight to statements by government 
officials that ore not directly connected to actual actions by their state. And some ore more 
willing than others to point to statements by courts, international bodies, and academics. In 
short, there is much friction over the mechanics of determining customary international law, not 
to mention arguments about which potential rules properly make the cut. 

This point helps to contextualize a concept that comes up often in the cyber context: the idea 
of international “norms.” To soy that something is a “norm” is not the same thing as saying that it 
is an established rule of customary international law, let alone a rule embedded in a treaty. It is 
no more and no less than a claim that some grouping has endorsed the desirability of acting or 
not acting in a certain way. If the grouping consists of states and is numerous—and if the actual 
activities of those states is consistent with their stated normative preference—then this can go 
some way towards an argument for recognition of a rule of customary international law. But be 
wary that those conditions really are met before assuming that on asserted “norm” is on its way 
towards having legal force; always consider who has asserted the norm, whether the state 
practice actually conforms to it, and whether it con fairly be said to hove achieved the 
uniformity of compliance and sense of legal obligation that is supposed to characterize actual 
customary international low. 

B. International Law & International Relations 


Before digging into the content of existing international low that might relate to cyber 
operations across borders, we might pause to consider whether and why o government would 
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care in practical terms about such constraints (and whether all governments are likely to core 
equally). 

o Create a list ot practical reasons the U.S. government might be wise to care, 
o For each item on your list, consider whether that reason applies with the same torce tor 
Chino. 

C. Cyber Operations and the United Nations Charter 

There is no multilateral treaty expressly restricting how states might use cyber operations against 
one another's interests. Any treaty-based constraints on cyber activities must instead be based 
on some other, more-general, treaty. And that brings us to the Charter of the United Nations. 

The Charter contains a number of rules that are important to cross-border cyber activity. 

1. Use of Force 

Most notably. Article 2(4) of the U.N. Charter creates a default rule prohibiting the “use of force’’ 
in international affairs. This rule carries with it legal, diplomatic, and political consequences. Most 
notably: the U.N. Security Council (consisting of five permanent members (the United States, the 
United Kingdom, France, China, and Russia) as well as a rotating cast of other states) determines 
that a state has violated this rule, it may authorize on array of significant responses (including 
economic sanctions and, in the most extreme cases, approval for other states themselves to use 
force in order to restore international peace). 

o Ponder the various types of cyber activity we hove considered in this course. Can you 

think of some that, considered in isoiotion, might quoiify os “force”? 

Notwithstanding this rule, an action that counts as a “use of force” is not prohibited by Article 
2(4) in at least three circumstances: 

Consent: An otherwise-forbidden use of force impacting another state is permitted if the 
that state consents to it. 

Security Councii Authorization: As noted above, the U.N. Security Council has authority to 
issue authorizations to member states to use force in limited circumstances. 

Seif-Defense: Article 51 of the U.N. Charter provides that states may use force in self- 
defense (as well as defense of another state, if requested by that state) in the event of 
an “armed attack.” Note that there is fierce debate about whether and to what extent 
Article 51 self-defense includes situations in which the armed attack is merely anticipated 
but has not yet occurred. There also is considerable debate about whether the 
threshold to count as an “armed attack” triggering this right of self-defense should be 
higher than the threshold for “use of force,” with the U.S. taking the position that there is 
no gap but others disputing the point. At any rate, if and when self-defense rights are 
properly invoked, the defending state must limit its responsive use of force to means that 
are both “necessary” and “proportional” to the provocation. 

Some states—including the United States—take the view that there is a fourth scenario in which 
on otherwise-forbidden use of force is permissible: 

Unwilling/Unable: On this view, a “host state” that is unable or unwilling to prevent or 
suppress a non-state actor within its territory from engaging in armed attacks on other 
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states cannot complain under Article 2(4) if the victim state (or a state the victim asks to 
come to its aid) uses necessary and proportionate force In the host state's territory 
against the attacker. This is o controversial position that first gained attention when 
invoked by the United States in relation to drone strikes against al Qoedo and related 
targets, and then gained wider acceptance when used by the United States and others 
to explain how it was lawful to use force againsf Islamic State targets in Syria even 
without permission of the Assad regime. 

In light of this framework, consider the following questions: 

o Can you explain why it might prove ditticult to apply the Article 51 rule in the cyber 
context? Note: the Tallinn Manual 2.0 (more about it below) argues that o “cyber 
operation constitutes o use of force when ifs scale and effects are comparable to non- 
cyber operations rising to the level of o use of force.” 

o Can you explain why it also might prove ditticult to apply the unwilling/unable test? 

o From the point ot view ot the victim state (and its allies), should it matter whether the state 
that engaged in the cyber operation: 

(1) used military torces, on intelligence agency, o private contractor, or any other 
institutional means to conduct the activity? 

(2) acknowledges that it conducted the activity? 

2. Internationally Wrongful Acts and Countermeasures 

Just because o cyber action foils shy of the “use of force” standard does not mean that 
international low has nothing to say about it. The action might still violate some other rule of 
international law apart from Article 2(4), and that in turn might open the door to responsive 
“countermeasures” by the victim state. 

To understand these concepts better, let's refer to the “Tallinn Manual 2.0 on the International 
Law Applicable to Cyber Operations.” The Tallinn Manual is not itself a legal instrument, though it 
is written in terms of “rules.” It is a scholarly product, resulting from a multi-year set of discussions 
among o large group of international low experts from o variety of countries (conducted under 
the auspices of the NATO Cooperative Cyber Defense Center of Excellence, but not constituting 
the views of NATO or any particular state as such). It is framed as o summary of current low 
accompanied by commentaries (though some critics contend that some of the rules it identifies 
are more ospirational than descriptive of existing law). It is, at any rote, far-and-away the most 
influential attempt thusfar to describe how existing international low rules apply to various cyber 
scenarios, not to mention a convenient way to frame our discussion. 

Rule 20 of the manual provides that o “State may be entitled to take countermeasures, whether 
cyber in nature or not, in response to a breach of on international legal obligation that it is owed 
by another State.” Put more directly: if one state acts illegally towards another, it opens up the 
door to the victim retaliating with methods that otherwise would violate international law. 

Countermeasures ore not punitive as such. Rather, they must be intended to induce the 
offending state to stop violating international low. (Rule 21) They ore not an anything-goes 
situation, either. They may not “affect fundamental human rights,” for example. (Rule 22) And 
they “must be proportionate to the injury to which they respond.” (Rule 23) They need not 
involve the same means or domain that produced the original injury, however; they con be 
cross-domain in nature. (Rule 24) 
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o Assume that a Russian intelligence agency is in the midst of conducting a covert action 
program to influence on American election. Can you identify a countermeasure the 
United States might then empioy that is both compiiont with the aforementioned 
constraints and might octuoiiy hove an impact? 

o Same situation, but the election is now over. You are told that there is good reason to 
believe the same thing will happen in the next election, though there is no intelligence 
thusfor confirming that such on operation already is underway, is the option of 
countermeasures currentiy ovaiiobie? 

Countermeasures by definition come into play only where the other state has engaged in a 
wrongful act (or where that state is responsible for the wrongful acts of private individuals/entities 
who did so). This raises the question of what wrongful facts, other than the “use of force” 
situation under Article 2(4) of the UN Charter, would trigger the countermeasure option. 

Here, there is considerable debate, particularly os applied to cyber operations. The key thing to 
grasp is that the debate revolves around the concept of “sovereignty,” and is expressed in terms 
of differing view about what customary international low has to soy about protection of 
sovereignty in contexts below the threshold of the use of force. For the most port, there is 
agreement that conduct constituting “coercive intervention” in a sovereign's affairs is covered. 
Precisely what counts os coercive intervention is contested, however, and beyond that there 
also is debate about whether non-coercive intrusions into sovereignty also might be treated as 
prohibited os o matter of customary international low (notice how this latter point might 
resonate for governments that hold to a strong view of sovereign prerogative in non-cyber 
settings). 

Here is on excerpt from o much-noticed articulation of the British view of these questions, from 
then Attorney General Jeremy Wright in May 2018: 

“In certain circumstances, cyber operations which do not meet the threshold of the use 
of force but are undertaken by one state against the territory of another state without 
that state's consent will be considered o breach of international low. 

The international low prohibition on intervention in the internal affairs of other states is of 
particular importance in modern times when technology has on increasing role to ploy in 
every facet of our lives, including political campaigns and the conduct of elections. As 
set out by the International Court of Justice in its judgment in the Nicaragua case, the 
purpose of this principle is to ensure that oil states remain free from external, coercive 
intervention in the matters of government which ore at the heart of o state's sovereignty, 
such os the freedom to choose its own political, social, economic and cultural system. 

The precise boundaries of this principle are the subject of ongoing debate between 
states, and not just in the context of cyber space. But the practical application of the 
principle in this context would be the use by o hostile state of cyber operations to 
manipulate the electoral system to alter the results of on election in another state, 
intervention in the fundamental operation of Parliament, or in the stability of our financial 
system. Such acts must surely be a breach of the prohibition on intervention in the 
domestic affairs of states. 

Furthermore, o breach of this principle of non-intervention provides victim states with the 
ability to take action in response that would otherwise be considered unlawful, but which 
is permissible if it is aimed at returning relations between the hostile state and the victim 
state to one of lawfulness, and bringing on end to the prior unlawful act. Such action is 
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permissible under the international law doctrine of countermeasures. Put simply, if o 
hosfile sfate breaches international law os a result of ifs coercive ocfions ogainsf the 
target state's sovereign freedoms, fhen fhe vicfim sfafe can fake action to compel that 
hostile state to stop. 

Consistent with the de-escalotory nature of infernational law, fhere are clear resfrictions 
on the actions that a victim state can take under the doctrine of countermeasures. A 
countermeasure can only be taken in response to a prior internationally wrongful acf 
committed by o sfafe, and musf only be direcfed towards that state. This means that the 
victim state must be confident in its attribution of fhof acf fo a hosfile sfafe before if fakes 
action in response. In cyberspace of course, oftribufion presents particular challenges, to 
which I will come in a few moments. Countermeasures cannot involve the use of force, 
and they must be both necessary and proportionate to the purpose of inducing the 
hostile state to comply with its obligations under international low. 

These restrictions under the doctrine of countermeasures ore generally accepted across 
the international law community. The one area where the UK departs from the excellent 
work of fhe Infernofionol Low Commission on fhis issue is where fhe UK is responding fo 
coverf cyber infrusion with countermeasures. 

In such circumstances, we would not agree that we ore always legally obliged to give 
prior notification to the hostile state before taking countermeasures against it. The 
covertness and secrecy of fhe counfermeosures musf of course be considered necessary 
and proporfionate fo fhe original illegality, but we say it could not be right for 
infernafionol low fo require o counfermeosure fo expose highly sensitive capabilities in 
defending fhe counfry in the cyber arena, os in any other arena. 

In addition, it is also worth stating that, as a matter of law, fhere is no requirement in the 
doctrine of counfermeosures for o response fo be symmefricol to the underlying unlawful 
ocf. Whof matters is necessify and proporfionolify, which means fhof fhe UK could 
respond to a cyber intrusion through non-cyber means, and vice verso. 

Through the principle of non-infervenfion, if is clear fhof the international community has 
set a boundary at which interference in another state's sovereign freedoms is considered 
internationally wrongful and as such, in breach of infernofionol low, giving rise to the right 
to take action which may otherwise be unlawful in response. As I hove already 
mentioned, the precise parameters of fhis principle remain the subject of ongoing 
debate in the international low community, but o further contested area amongst those 
engaged in the application of international low to cyberspace is the regulation of 
acfivities fhot foil below fhe fhreshold of o prohibifed infervenfion, buf nonefheless may 
be perceived os offecfing the territorial sovereignty of onofher sfote wifhout fhat sfate's 
prior consent. 

Some have sought to argue for the existence of a cyber specific rule of a “violation of 
ferriforial sovereignfy” in relofion fo inferference in fhe compufer nefworks of anofher 
sfote without its consent. 

Sovereignty is of course fundamental to the international rules-bosed system. But I am not 
persuaded that we con currently extrapolate from fhof general principle o specific rule 
or additional prohibition for cyber ocfivity beyond that of a prohibited intervention. The 
UK Government's position is therefore fhof fhere is no such rule as a matter of current 
international low.” 
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It is widely thought that this reflects the U.S. position as well. Here is language from a speech by 
Brian Egan, then the Legal Adviser of the State Department, in 201 6: 

“In certain circumstances, one State's non-consensual cyber operation in another State's 
territory could violate international law, even if it falls below the threshold of a use of 
force. This is a challenging area of fhe law that raises difficult questions. The very design 
of the Internet may lead to some encroachment on other sovereign jurisdictions. 

Precisely when a non-consensual cyber operation violates the sovereignty of another 
State is a question lawyers within the U.S. government continue to study carefully, and it is 
one that ultimately will be resolved through the practice and opinio juris of States. 

Relatedly, consider the challenges we face in clarifying the international law prohibition 
on unlawful intervention. As articulated by the International Court of Justice (ICJ) in its 
judgment on the merits in the Nicaragua Case, this rule of customary international law 
forbids States from engaging in coercive action that bears on a matter that each State is 
entitled, by the principle of State sovereignty, to decide freely, such as the choice of a 
political, economic, social, and cultural system. This is generally viewed as a relatively 
narrow rule of customary international law, but States' cyber activities could run afoul of 
this prohibition. For example, a cyber operation by a State that interferes with another 
country's ability to hold an election or that manipulates another country's election results 
would be a clear violation of the rule of non-intervention. For increased transparency. 
States need to do more work to clarify how the international law on non-intervention 
applies to States' activities in cyberspace. 

In light of Egan's reference to states collaborating to clarify how infernafional law applies in fhis 
setting, it is worth noting that the UN for many years has sponsored a “Group of Governmenf 
Experfs” (“GGE”) process focused on idenfifying points of agreement on such matters. In 2017, 
the most recent round of this process collapsed in the face of the unwillingness of some sfates 
(Cuba, most conspicuously, but with support from Russia and China) to agree that various 
bodies of infernafional law (such as fhe laws of armed conflicf) even apply in fhe cyber contexf. 

o Can you explain how the varying national interests and circumstances ot the United 
States, Russia, and China might cause them to take ditterent positions in the context ot 
such negotiations? 

Nofably, Egan asserted in that same 2016 speech that espionage does not qualify as a violation 
of international law (though of course it almost always violates the domestic law of the foreign 
sfafe that is the subject of the collection). So too the Tallinn Manual 2.0 at Rule 32, though the 
manual observes that the answer might be different depending on the collateral consequences 
of the espionage. 

o Can you explain how this complicates the legal analysis tor a victim state that has 

detected an intrusion and attributed it to a toreign government, in circumstances where 
the system penetrated contains usetui intormation and also pertorms important 
tunctions? 

A final wrinkle: Tallinn Manual 2.0 also asserfs, af Rule 26, fhat a “Sfafe may act pursuant to the 
plea of necessity in response to acts that present a grave and imminent peril, whether cyber in 
nature or not, to an essential interest when doing so is the sole means of safeguarding it.” 

Let's now apply some of these concepts: 
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o Assume that the United States and Israel have combined forces to create malware that 
will cause physical damage to centrifuges in an Iranian nuclear facility. Does this 
constitute on armed attack? A use ot torce? A coercive intervention? 

o Assume the answer is that it appears at first blush to have been a coercive intervention. 

Couid the U.S. and israei make an argument that it was, in tact, a countermeasure? 
o What considerations, apart trom iegai ones, might impact the manner in which iran 
chooses to categorize the activity once it iearns ot it? 
o imagine that CYBERCOM manages to hack into a Russian miiitary communications 
system, and steais data trom it. is that a “use ot torce”? “Armed attack”? “Coercive 
intervention”? 

o Same questions, but this time CYBERCOM causes the system to stop tunctioning tor one 
hour. 

o Same, but this time CYBERCOM causes the system to overheat, resuiting in physicai 
damage that ruins the system. 

o Same, but this time CYBERCOM causes the system to expiode, kiiiing severai nearby 
personnei. 

D. Cyber Operations During Armed Contiict 

Does the law of armed conflict apply to computer network operations? That is, are they subject 
to the familiar law of armed conflict rule such as the prohibition on intentionally attacking 
civilians and civilian objects (a rule that has exceptions, of course, such as the exception for 
civilians who are in the midst of participating in hostilities, or civilian objects being used for 
military purposes), and the “collateral damage” rule that forbids attacks on otherwise- 
permissible targets where the anticipated civilian harm will outweigh the expected military 
benefit. The Tallinn Manual 2.0 explains the majority view (which the United States and its allies 
share): 

Rule 80: “Cyber operations executed in the context ot an armed contiict are subject to the 
law ot armed contiict.” 

Does if mean that all computer network operations conducted by a military entity are 
subject to the law of armed conflict at all times? Conversely, does it mean that 
computer network operations conducted by a non-military unit are not so subject? 

E. Cyber Operations and Human Rights Law 

A full treatment of this topic is beyond our scope, but for now it suffices to say that there is fierce 
disagreement regarding the extent to which the international human right to privacy 
(memorialized, for example, in Article 17 of the International Covenant on Civil and Political 
Rights, which forbids “arbitrary or unlawful interference with ... privacy”) is implicated by a 
foreign government's cyber activities conducted for purposes of espionage. 
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III. CRISIS SIMULATION 


25. December 6 - Crisis Simuiation 


With Units I and II under our belts, the stage is set to integrate our accumulated knowledge in a 
practical setting. In the final class meeting we will conduct a crisis simulation exercise—a role- 
play simulating an unfolding cybersecurity crisis—that will give you a unique opportunity to work 
in teams to demonstrate, and practice with, what you have learned. There is no additional 
reading for this session. 

IV. FINAL EXAM 


December 14 - Good luck! 




